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(54) Tide: NEW OPERATION FOR KEY INSERTION WITH FOLDING 
(57) Abstract 

MultiDES based systems with bit— slice implementation, one embodiment of the method of the present invention, is a new cipher 
based on a modification of bit-slice implementation of DES. Therein, the exclusive-or is replaced within the F function with a form of 
multiplication. Thus, every simultaneous encryption depends in all of the bits of input into the s-box on every other parallel encryption. 
Any invertable group operation could be used in place of multiplication. The principle requirement is that every input bit will influence 
every output bit. The operation need not be easily invertabie, for example, common multiplication using exclusive-or to fold the upper and 
lower halves of the result yields a strong candidate. The method of the present invention uses a careful form of folding so that the inputs to 
any s-box depend on at least half of the input bits. MultiDES based systems with bit-slice implementation are particularly preferred, one 
embodiment of the method of the present invention. The recommended key schedule for Feistel and other blocks ciphers uses the block 
cipher to cause complete mixing of the key bits and pseudo-random expansion into conveniently sized subkeys. A subkey chaining mode 
for influencing future encryptions of block ciphers in place of cipher block chaining mode is proposed. A Feistel structure allowing for 
further extension of block length for subkey chaining output is proposed. 
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NEW OPERATION FOR KEY INSERTION WITH FOLDING 

5 

Background: FIELD OF INVENTION 

This invention relates to using a form of multiplication as the key insertion operation 
and related folding methodologies useful to form a shorter input length keyed hash function. 

Bit-slice methodology is used in one of the preferred embodiments of the method of the 
10 present invention. 

BACKGROUND: PRIOR ART 

The classic approach to cryptographic hashing has been proposed by Ron Rivest of MIT 
in a function called MD5 (Message Digest 5, or perhaps Merkle-Damgaard). A theoretical 

15 criticism was brought in the conference called Europcrypt *96 by James Massey in a talk, "The 
difficulty with difficulty." Massey contends that the a function of similar complexity to MD5 
will invert the function. This criticism holds for all non-keyed proposed one way functions. 

It being understood that where reference is made in an embodiment of the present 
invention to any cryptographic primitive, especially MD5, and derivatives thereof, MultiDES 

20 based systems, subkeychaining mode, as well as MultiDES based systems with bit-slice 
preferably and optionally are employed. A version of MD5-MAG is referred to in Menezes, van 
Oorshot, Vanstone, "Handbook of Applied Cryptography," CRC Press, New York, 1996. 
Entropy, cipher-block-chaining, probabilistically checking for correctness and other 
cryptographic terms are defined in Menezes, et al. Descriptions found for MD5-MAC are not 

25 easily understood, nor is the rationale for the particular construction easily known. 

The inventor of the present invention has proven Massey' s conjecture for a simplified version of 
MD2 (a hash function allegedly by Ron Rivest). Viewed as a whole, all but one step of MD2 is 
an involution. Thus, the inverse function is not just of the same complexity as MD2, but is 
identically the same function. This is a very undersirable property for a hash function. 

30 There exist modifications of MD5 which allow for keyed hashing. However MD5 is not 

deeply understood and has not undergone extensive analysis. Hans Dobertin has found some 
collisions (two 
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inputs yielding the same output) in the hash function MD4, forcing the publication of the additional 
complexity of MD5. 

Another prior art approach is to use classical block symmetric algorithms for hashing. 
CAST is obviously different from the method of present invention in that it uses expansion-based 
5 s-boxes. Thus, fewer bits (8 bits) yield 32-bit outputs for the s-boxes. Use of CAST relies on esoteric 
properties of bent functions, it is difficult for many people to understand their s-box design principles 
so as to be able to place the necessary amount of trust in them. 

Whitfield DifBe commented, Eurocrypt *98, to the inventor of the present invention that it would 
take him, one of the founders of public-key cryptography, a full year to understand s-box design. 
10 Thus, the cryptographic community finds significant obstacles to understanding and verifying 
different s-box designs. 

IDEA U.S. patent #5,2 1 4,703 in its current form does not have a block length of 1 28 bits. It is 
different from the method of present invention because a preferred embodiment of the method of 
present invention maintains the overall Feistel structure of DES, changing mainly the key-insertion 

15 and scheduling operations. The operation shown w (x)" in section 3.4.1 (p.34) (On the design and 

security of block ciphers by X. Lai and J. Massey) differs in content and purpose from the method of 
the current invention. Tn content the operations are performed at once on four sets of inputs and are 
striclly single algebraic group operations, and in purpose no extension of block length is achieved. 
Outside reviews of IDEA are not widely available due to its relative newness. 

20 Another application of the method of the present invention is in a Message Authentication Code 
(MAC). An approach to accomplish a MAC was brought in the Bracthl U.S. Patent # 4,908,861 
differs from our construction in that we provide folding within the round function and Bracthl does 
so only on the entire DES encryption. The method of the present invention's construction provides 
more though mixing by using a form of multiplication within the round. Tt is unknown how much 

25 cryptanalysis the MDC2 and MDC4 modes have withstood. 

An extremely different approach to hashing could be constructed using RC5, again by Ron Rivest. 
As he is the author of MD5 above, he favors MD5 for that application. RC5 is obviously different 
from the method of the present invention in that it uses data-dependent rotations as its principle 
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operation. This operation may have significant drawbacks. In a recent attack on RCS in Eurocrypt 
'98, weaknesses are shown in a slightly modified version. 

The inventor of the present invention had a part in the earlier stages of the mentioned attack on 
RC5 during his attacks on data-dependent rotations as a cryptographic consultant. 
5 RSA U.S. patent #4,405,829 is different from the method of the present invention because the 
method of the present invention uses the same key for encryption and decryption. The system of the 
present invention is based on classical (i.e. Shannon 1949) confusion and diffusion rather than pure 
algebraic structures. RSA, due to its algebraic structure, has the multiplicative property, that is 
encryption_pf_ a times encryption_of encryption of a product a*b. Thus, RSA is not 

10 appropriate for use as a hash function or to enciypt arbitrary user-supplied data. (For example, see 
Coppersmith, Eurocrypt '96 for some attacks on RSA.) 

An attempt to use DES U.S. patent #3,962,539 in its current unmodified form would not be 
appropriate because of the tiny key-block lengths. DES is different from the method of the present 
invention because the key insertion operation has been changed, the key schedule revised, and a 

15 methodology of folding introduced to yield larger block and key sizes. The description of the method 
of the present invention hereby incorporates specifically the patent 3,962,539 by reference to define 
the terms s-box. F. Expansion, key schedule, P permutation. (See tables TT-TV.) Descriptions of prior 
art DES implicitly refer thereto. The reader is referred also to FIPS PUB 46-1, Data Encryption 
Standard and FIPS PUB 81, DES Modes of Operation. It being understood that where reference is 

20 made to DES and derivatives thereof as part of an embodiment of the present invention, MultiDES 
based systems as well as MultiDES based systems with bit-slice preferably and optionally are 
employed. 

The U.S. patent of Feistel #3,798,359 was filed in 1971 , DES was based on the Feistel structure. 
The reader may refer to a substantially equivalent description in [BiSh93, appendix A]. 
25 A bit-slice fast-parallel bit-wise vector implementation of DES is referred to in Biham, E. ? U A fast 
new DES implementation in software," Proceedings of Fast Software Encryption Workshop, 
Springer- Verlag, January 1997. 

On page 8, Biliam states that; "Wc can use this fast code to design a new, even faster, and more 
secure cipher, which we call WDES. We convert the code by removing IP, FP, and changing the EPS 
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operations (S boxes followed by P followed by E, as used in this implementation) into S boxes from 8 
to 64 bits. These S boxes can be much better than the original, since each S box affects all of the bits 
of all of the S boxes in the next round (rather than one bit in only six S boxes)." 

A bit-slice implementation relies on bit-wise attribute used for key infusion inside the F function. 

5 It requires redesigning the substitution boxes of DES in the form of logic gates. Biham 

implementation of the logic gates was appropriate for exactly 64-bit machines. The method of the 
present invention is appropriate particularly for 32-bit machines The Biham method for WDES was 
appropriate for exactly 64-bit output s-boxes each. The method of the present invention is 
appropriate particularly for 32-bit machines, thus 32-bit output s-box. 

10 Trying to use bit-slice DES for hashing would immediately fail because fundamentally, it is just a 
collection of DES operations operating in parallel without interaction between them. Bit-slice DES is 
different from MulliDES based systems with bit-slice implementation, one embodiment of the method 
of the present invention, because the key insertion operation has changed. Thus MultiDES based 
systems with bit-slice implementation, one embodiment of the method of the present invention, does 

1 5 not share the equivalence between bit-slice DES and DES. 

The structure of DOS directory file entries is referred to in "PC intern: The Encyclopedia of 
System Programming;* Tischer and JennirclL Abacus, 1996. The PC Intern document defines a 
variety of terms of the art including "file handle", "opening a file", **FAT\ "hard drive", "hard drive 
serial number"*', "sector number", "number of read/write heads" and "cluster" The term "file'' is 

20 intended to include a directory or a directory tree. An "attribute byte" is a byte within the directory 
entry of a file as defined in PC Intern, 

Differential Cryptanalysis is a methodology for attacking ciphers. Diham and Shamir teach against 
a preferred embodiment of the method of the present invention. Biham, E. and Shamir, A., 
Differential Ciyptanalysis of the Data Encryption Standard, Springer-Verlag, New York, 1993 in 

25 section 4.5 .3. 1 of chapter 4 states that "If we replace the exclusive or operation within the F function 
by an addition operation we get a much weaker cryptosystem." The term "F function" and other 
conventional DES terms such as subkey as well as how to decrypt using DES are explained in Biham 
and Shamir's Appendix A. "Description of DES" and/or in the Glossary of the Biham and Shamir 
publication- On page 14, Biham and Shamir remark that "to simplify the mathematical analysis of our 
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attacks, we assume that all subkeys are independent. Attacks on DES with dependent subkeys were 
experimentally shown to have the same probability of success, but the theoretical analysis of the 
probability is much harder." The method described in the theory of the present invention grapples 
with issues where carry is present such as in addition or multiplication based operations. In the 
5 theory of present invention, Biham-Shamir assumption implying that success of an attack is 
independent of particular key chosen is shown not to apply. 

The disclosures of all publications mentioned in the specification and of the publications cited 
therein are hereby incorporated by reference. 

PRTOR ART: DATA ENCRYPTION STANDARD, FETSTET, STRUCTURE 
10 BACKGROUND: DES (Data Encryption Standard) was developed by IBM with advice from the 
NS A (National Security Agency) of the United States of America. The NSA also made modifications 
lo the S-boxes. DES is one of the most widely employed encryption algorithms. The Data 
Encryption Standard is built as spelled out by the above referenced Biham-Shamir publication. Its 
speed is 12,000 bytes per second on a Pentium 120 Mhz machine. 
15 The standard implementation is as follows: 

Inputs: 64-bit key and 64-bit plain-text (Reference is made to figures 14*15 J 
KEY SCHEDULE 

The 64-bit key enters o/i initial permutation, which results in a 56-hit key being used. Then on 
each round the 56-bits are split into 28-bit halves. Each half is left circular shifted 1 or 2 bits 
20 depending on the round. A compression permutation selects 48 out of 56 bits for use in a round. 
FEISTEL STRUCTURE AND DES ROUND 

The 64-bit plain text also undergoes an initial premutation Then it is split into 32-bit halves. On 
each round, the right half undergoes an expansion permutation which restdis in 48 hits — 16 of the 
32-bits are repeated, the key hits from the compression permutation and the input bits from the 
25 expansion permuation are applied the function exclusive-or, and then split into 8 6-bit units, each 
an input to one of 8 S-boxes. The S-hoxes consist of 4 rows by 16 columns of values from 0 through 
15. The outer 2 bits of a 6-bit input determine the row (hex: 0..3) amitlie middle 4 bits determine 
the column (hex: 0..F). The output is the value contained in the row, column of the S-box. 



BNSDOC1D: <WO 9908411A2_I_> 



WO 99/08411 



PCT/IL98/00369 



The 8 S-boxes each yield 4 bits for a total of 32. These bits undergo a P-box permutation, which 
mires these hi is. Finally, the hi is are applied ihe junction exclusive-nr with the left half o f the rtmnd 
input hits. Then the leji half becomes the right half, and the applied ihe exelusive-ar junction result 
becomes the left half for the start of the next round At the end of the final round, the right half 
5 remains as is, and the applied the function exclusive-or result replaces the left half 

OBJECTS AND ADVANTAGES 

Accordingly, several objects and advantages of the preferred embodiment of the method of the 
present invention are speed, simplicity of design, cryptographic strength and flexibility in key-block 
lengths. Herein the prior art will be assumed to be Triple-DES (DES used three times with two 
10 distinct keys of 56 bits each). 

One advantage and object of the method of the present invention is superior speed relative to 
the prior art. Due to the increased resistance to cryptanalysis and large block size, the method of the 
present invention achieves better security than triple DES in fewer than 16 rounds. 

Another advantage and object of the method of the present invention is additional larger block 
15 size. This allows for hashing, stream cipher applications, and resistance to birthday attacks wherein 
the same input/output pairs indicate a correspondence within the underlying scheme, in addition to 
the required key-block sizes, the method of the present invention, optionally and preferably, provides 
192-192 key-block size and 256-256 key-block size. The speed per byte encrypLed is faster on the 
larger block sizes. For encrypting large amounts of data or data with significant local structure, a 
20 large block size such as 256 bits is necessary for security. 

Another advantage and object is resistance to differential cryptanalysis. The use of the 
multiplication operation in combination with the complex folding causes classical methods of 
differential cryptanalysis difficulty. It is important in any new system to address this approach. 

Another advantage and object is key size and flexibility. The method of the present invention 
25 provides for a variable key size ranging from 40 bits to 256 bits for its 64 bit block size to 256 bit 
block size modes. Each key bit which is used has an impact on the resulting encryption. 

Another advantage and object is flexibility in key setup lime required. An embodiment of the 
method of the present invention generates new keys while it encrypts. Thus, key setup takes just one 
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encryption time, in another embodiment of the method of the present invention, the key schedule 
performs any user defined plurality of rounds between sampling material. 

User choice of 4, 8, 16, or 32 are recommended due to studied properties of the Feistel 
structure. For example, after 4 rounds, the Feistel structure is "complete. 1 * Completeness is that each 
5 input bit has the opportunity to influence each specific output bit. As another example, after 1 6 
rounds, the Feistel structure has executed four sets of four rounds each. Thus, should an F function 
be chosen which is substantially similarly to that used in prior art DES, yet failing to have all the 32 
output bits in each round depend on each input bit, substantially 16 rounds provides completeness 
under less demanding assumptions on the properties of the F function, 
i 10 Thus, for applications which need to rapidly change keys, a preferred embodiment of the 

: method of the present invention does so. For applications which require security against key search, 

another preferred embodiment of the method of the present invention does so. 

Another advantage and object is reusability. The method of the present invention uses the 
encryption algorithm to accomplish rapid and secure key scheduling. The method of the present 
15 invention uses the well-tested E Expansion, S-Boxes, P Permutation and Feistel structure of prior art 
DES patent #3,962,539 . The method of the present invention uses commonly available 
multiplication. All of the constant values present in the preferred embodiment of the method of the 
; present invention are available in implementations of prior art DES. Using widely available constant 

values increases the confidence level of potential users of the method ef the present invention. 
20 Another advantage and object is compact implementation. The method of the present 

invention in the preferred embodiment for every specific key-block size less than a thousand bits each 
and mentioned herein has been implemented in ANSI C in less than 3/4 of the size of a comparable 
DES implementation. 

Another advantage and object is simplicity of design. The method of the present invention 
! 25 changes the key insertion operation within the F-function to include multiplication. The folding 

! which becomes possible thereby enables arbitrarily long block sizes using a simple and regular 

construction. 

Another advantage and object is that the method of the present invention can control a 
microprocessor to create the output of a hashing algorithm. The embodiment of the method of the 
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present invention with 256-bit block size can be used as a keyed or non-keyed hashing function in 
place of MD5. One preferred embodiment of the method of the present invention takes the output 
upper and lower 128-bits of the output to be arguments to the function of exclusive-or to yield a 
single 128-bit output. Another preferred embodiment of the method of the present invention uses an 

5 exclusive-or of the input plain text with the output cipher text to yield a 256-bit block output. 

Another preferred embodiment of the method of the present invention allows the round input 
to the new F function to be dependent on substantially more than half of the bits of the given block 
size. Another preferred embodiment of the method of the present invention allows the round output 
of the new F function to influence substantially more than half of the bits of the given block size. 

10 These two preferred embodiments differ substantially from the classic i'cistel structure referred to 
herein. 

Another preferred embodiment of the method of the present invention is to use an exclusive-or 
of the round plain text derived input with the round plain text derived output to yield the new plain 
text derived output. 

1 5 Even if the key were to be published, it would still be hard to invert. 

The advantages would include: 

1 . Smaller input block size of 256 instead of 5 12. 

This is often more convenient for small data items such as passwords. 

2. Natural method for keying built into the cipher. 

20 3. Easier to understand and clearer design principles. 

Another advantage and object is ability to define a new mode of operation which derives from 
execution of the cipher in key-gencration mode and using the newly generated subkeys for future 
encryptions. The key-generation mode also produces cipher text of the desired plain text. 

Another advantage and object is handling high bandwidth or highly structured inputs whose 
25 structure often remains apparent when using small block size ciphers. The large block size and 

effective mixing which is apparent after a mere four rounds of the cipher provide protection against 
matching based "birthday" attacks as well as scrambling the local patterns better than just CBC mode. 
A fast gate-based implementation is available for large block sizes. 
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Another advantage and object of the method of the present invention is that it does not exhibit 
known weak keys, complementation properties, or have self-complementing keys. 

Another advantage and object of the method of the present invention is that even in a simplified 
method, the round -dependent masks would cause weak subkeys to be round-dependent. Such a 
5 restriction greatly reduces the usefulness of such a weak subkey to attack the system. 

An advantage and object of a method of the preferred embodiment is application to ATM 
Networks. These networks have a high bandwidth. Thus fast algorithms processing a large block size 
are advantageous here. The increased block size, speed and resistance to cryptanalysis with respect to 
Triple DES gives TMD an advantage for this application, 
lo An advantage and object of a method of the preferred embodiment is application in cipher feedback 
mode or cipher block chaining mode or subkey-generation chaining mode to yield a stream cipher. 

An advantage and object of a method of the preferred embodiment employs cipher-block-chaining 
(hereinafter CBC) with a random initialization vector (hereinafter IV) generated using counter mode 
and a secret key to yield ciphertext which yields no computational information about the plaintext. 
15 An advantage and object of a method of the preferred embodiment can be employed after 

applying the function of exclusive-or to a plain text with a key stream, and followed by applying the 
function of exclusive-or to a cipher text with a key stream. 

A preferred embodiment of the method of the present invention, TMD, is a CBC based message 
authentication code (hereinafter MAC). Apply the CBC mode to the text after padding (if necessary), 
20 Decrypt the final result using another secret key. This is the MAC result. There is no need for a 

random IV in this case. Some DES based MAC's can be attacked in 2 32 time due to their small key- 
block size. However, here a block size of a minimum of 128 bits would be suitable^ making this 
approach far superior to current MAC's using DES. 

An advantage and object of a method of the preferred embodiment is application to lligh 
25 Definition Television, Satellite and Voice Applications. A large block cipher combined with a rapid 
execution time provide TMD with advantages for this application. The dependence on highly defined 
and structured data means that reliance on cipher-block-chaining with block ciphers of a short length 
is not recommended. One can learn the plain text exclusive-or from a repeating of cipher blocks. 
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Another advantage and application being in accordance with another preferred embodiment of the 
present invention is a system for protecting confidentiality of information written on a notebook 
computer, the system including: an automatic file-by-file information protector operative to protect a 
plurality of files on an automatic file-by-file basis, the information protector including: a symmetric 
5 encryptor using a symmetric cryptosystem to encrypt an individual file, thereby to generate an 

encrypted individual file; and a notebook storage manager operative to store the encrypted individual 
file on a notebook computer. 

Another object and application being in accordance with another preferred embodiment of the 
present invention is a system for protecting confidentiality of information written on a hard disk, the 
10 system including: a symmetric file encryptor using a first symmetric cryptosystem to encrypt a file 
having a selectably known file key; and a symmetric file key encryptor operative to encrypt the 
selectably known file key using a second symmetric cryptosystem and a selectably known master key 
derived from a selectably known pass phrase using a cryptographically strong hash function. 
Further objects and applications of the present invention will become apparent from a 
is consideration of the drawings and ensuing description. 
DESCRIPTION of DRAWINGS 

The present invention will be understood and appreciated from the following detailed description, 
taken in conjunction with the drawings in which: 

Figure 1 is an exemplary illustration of a preferred method explaining how to make and use an 
20 encryption and decryption portion of the method of the present invention; 

Figure 2 is an exemplary illustration of a preferred method explaining how to make and use the 
key insertion portion of the method of the present invention; preferably, the form of multiplication 
chosen will be common product of the two arguments plus exclusive or of the arguments; 

Figure 3 is an exemplary illustration of a preferred method explaining how to make and use an 
25 operation on two inputs yielding a double-sized result portion of the method of the current invention; 
preferably, fold half of the double-sized result into a companion execution of the method. 

Figure 4 is an exemplary illustration of a preferred embodiment which explains how 10 make and 
use the key schedule portion of the method of the present invention; 
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Figure 5 is an exemplary illustration of a preferred embodiment which explains how to make and 
use the substantial key-block size portion of the machine of the present invention; 
; Figure 6 is an exemplary illustration of an opLional embodiment which explains how io make and 

use an improved key schedule portion of the method of the present invention; preferably, including 
5 feeding the full 64 key bits per block into a rearranged PC2 from prior art DES; 

Figure 7 is an exemplary illustration of a preferred embodiment which explains how to make and 
use the form of multiplication portion of the method of the present invention: 

Figure 8 is an exemplary illustration of a preferred embodiment which explains how to make and 
use a permutation to span multiple blocks portion of the method of the present invention; 
; 10 Figure 9 is an exemplary illustration of a preferred embodiment which explains how to make and 

! use a circuit-based logic-gate implementation of the machine of the present invention; 

I Figure 10 is an exemplary illustration of a alternative embodiment which explains how to make 

and use masks derived from DES s-box entries; table 1, a Key Selection Permutation Table in an 
improved key schedule designates which master key bits will be selected for each round subkey; 
15 Figure 1 1 (top) is an exemplary illustration of a preferred embodiment which explains how to 
j make and use inputs of master-key and predetermined initial keys to yield master key derived 

j subkeys; 

Figure 1 1 (middle) teaches to make and use inputs of master-key and predetermined initial keys to 
yield master key derived subkeys; these subkeys are used to encrypt in key-generations mode a plain 
20 text, which in turn generates additional subkeys as well as a cipher text; 

Figure 1 1 (bottom) teaches how to make and use subkey-feedback-mode; 

Figure 12 is an exemplary illustration of a preferred embodiment of the method of the present 
invention which explains how to make and use the encryption and decryption portion of the method 
of the present invention. It differs from figure 1 in that it recites fewer optional elements; 
25 Figure 13 is an exemplary illustration of a preferred embodiment which explains how to make and 
use the key schedule portion of the method of the present invention; it differs from figure 4 in that it 
recites fewer elements and generalizes to non-Feistel methods; 

Figure 14 is an exemplary illustration of a preferred embodiment which explains how to make and 
use an internal round function portion of the method of the present invention; 
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Figure 15 is an exemplary illustration of a preferred embodiment which explains how to make and 
use a Feistel structure for MuW-DFS portion of the method of the present invention; 

Figure 16 is an exemplary illustration ofa preferred embodiment which explains how lo make and 
use a particular form of multiplication portion of the method of the present invention; 
5 Figure 1 7 is an exemplary illustration of a preferred embodiment which explains how to make and 
use an example round function for TMD using two MultiDES encryptions in tandem; 

Figure 1 8 is an exemplary illustration of a preferred embodiment which explains how to make and 
use an example round function TMD using three MultiDES encryptions in tandem; 

Figure 19 is an exemplary illustration of a preferred embodiment which explains how to make and 
10 use an example round function TMD using four MultiDES encryptions in tandem; 

Figure 20 is a simplified flowchart illustration of a preferred method for protecting data on a 
notebook computer; 

Figure 21 is a simplified flowchart illustration ofa preferred method for protecting confidentiality 
of information written on notebook computer, the method being constructed and operative in 
15 accordance wilh a preferred embodiment of the present invention; 

Figure 22 is a simplified flowchart illustration of a use of a slightly modified MD5-MAC message 
authentication code method constructed and operative in accordance with a preferred embodiment of 
the present invention; 

Figure 23 is a simplified flowchart illustration of a preferred methoifor generation of file keys 
20 forming a part of the method of figure 22, using contents of DOS directory entries as plain texts and 
keys to generate a file key; 

Figure 24 is a simplified flowchart illustration of preferred method for performing an encryption of 
a file using the method of figure 23 to generate file keys and the output of the method of figure 22 to 
protect the file key; 

25 Figure 25 is a simplified flowchart illustration of preferred method for performing an encryption 
ofa file on a sector by sector basis using unique information based on the location on the particular 
hard disk and cipher-block-chaining within the sector; and 

Figure 26 is a simplified flowchart illustration of preferred method for performing the method of 
figure 25 wherein the encryption is fast parallel bit-wise vector implementation of DES with a form of 
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multiplication substituted for exclusive or when combining the subkey with the plaintext derived 
input. 

Figure 27 is a simplified flowchart illustration of a DES encryption method constructed and 
operative in accordance with a preferred embodiment of the present invention; 
5 Figure 28 is a simplified flowchart illustration of a first preferred method for performing an n'th 
DES round forming part of the method of figure 27, using addition to combine subkey with plain text 
derived input; 

Figure 29 is a simplified flowchart illustration of a second preferred method for performing an n*th 
DES round forming part of the method of figure 27; 
10 Figure 30 is a simplified flowchart illustration of a modification of figure 2 in which first and 
second permutations and mapping are employed to perform the DES round. 

Figure 31 is a simplified flowchart illustration of a third preferred method for performing an n'Lh 
DES round forming part of the method of figure 27; 

Figure 32 is a simplified flowchart illustration of a DES encryption method constructed and 
15 operative in accordance with another preferred embodiment of the present invention; 

Figure 33 is a simplified flowchart illustration of a fourth preferred method for performing an n'th 
DES round forming part of the method of figure 32 > using multiplication to combine subkey with 
plain text derived input; 

Figure 34 is a simplified flowchart illustration of a fifth preferred method for performing an n'th 
20 DES round forming part of the method of figure 32; 

Figure 35 is a simplified flowchart illustration of a modification of figure 33 in which first and 
second permutations and mapping are employed to perform the DES round: 

Figure 36 is a simplified flowchart illustration of a sixth preferred method for performing an n'th 
DES round forming part of the method of figure 32; 
25 Attached herewith are the following appendices which aid in the understanding and appreciation of 
one preferred embodiment of the invention shown and described herein: 

A separate section entitled Theory of present invention has been printed by itself, yet is to be read 
as an integral part of the disclosure. These findings build on research findings which indicate that 
replacing the exclusive-or function with an addition operation does not always yield a weaker 
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cryptosystem, contrary to the teachings of Biham and Shamir in Section 4.5.3. 1 of Chapter 4 of the 
above-referenced Biham-Shamir publication. 
FORM OF MULTIPLICATION 

An advantage and object of employing a form of multiplication to accomplish key insertion being 
5 ability to demonstrate in a Theory of Operations section the strength of method of the present 
invention by attacking using differential cryptanalysis on a simplified version. The simplification is 
employing as a form of multiplication as common multiplication with carry discarded. 

Attempts at using difterential cryptanalysis with a ratio to cancel the key insertion face building 
difference distribution tables over all 1 6 to 32 bits at once due to interference with the P Permutation, 
10 Thus, the preferred embodiment of the method of the present invention employs a form of 
multiplication in place of exclusive-or as the key insertion operation due to its better mixing and 
consequent resistance to cryptanalysis. 

Another advantage and object of a preferred definition of multiplication is that it allows a pair of 
values to be blended whereby the upper half of one product has the exclusive-or function applied with 
15 the lower haif of the companion product, 

A form of multiplication can be selected from the group including: 

(a) in the algebraic sense, i.e. any operation on two arguments yielding a third, e.g. elliptic curve 

(b) common multiplication 

(c) multiplication over a ring 

20 (d) multiplication over a field (or nearly a field) 

(e) multiplication over a Fermat or Mersenne field (or nearly a field) 

(f) common multiplication, yielding an upper and a lower, linear combination thereof. 

(g) common multiplication of n inputs to yield a interum product, exclusive-or between subsets 
of those n inputs to yield a mix, optionally concatenate distinct mixes to yield length equal to interum 

25 product, sum together interum product and (concanated) mix to yield a product. 

(h) any of the above forms of multiplication on a plurality of arguments 

(i) any of the above forms of multiplication where at least one argument is a constant 

It being understood that operations described herein for brevity as a form of multiplication may 
have their implementation optimized to eliminate a common multiplication operation, representation 
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not withstanding it shall still be considered herein a form of multiplication. Clearly, any multiplication 
can be rewritten in the form of additions and shifts, yet it is still understood to be multiplication. 

Reference is made lo figure 2. The preferred embodiment, of the present invention employs a form 
of multiplication to do key insertion. Form employed can be multiplication over a Fermat field such as 
5 2 16 +L Alternatively, the method of the present invention employs common multiplication with carry 
discarded as the form of multiplication. Optionally, a form of multiplication includes addition or 
multiplication of points on an elliptic curve. (Sec for example, Silverman, Arithmetic of Elliptic 
Curves, 1986, Springer- Verlag.) Optionally, any operation in which the "* M operator is reused in 
object-oriented languages such as Ada or C++ is a form of multiplication; 

10 In a preferred embodiment of the method of the present invention, a form of multiplication can be 
understood as the operation on a. b defined by a*b+(a exclusive-or b\ where * is common 
multiplication, + is common addition, and exclusive-or is common exclusive-or. This definition of a 
form of multiplication is novel and non-obvious. The term "product" is defined herein to refer 
typically to this form of multiplication, wherein the two variables used for illustrative purposes only 

15 could be a plurality of variables such as a*A*c+(a exclusive-or h exclusive-or c). Alternatively, the 
term "multiplication" in particular with a plurality of variables, could be defined as a*b*c+(a A 6 « 
32 | h A c « 16 | c A a). Alternatively, the form of multiplication with a plurality of variables is 
defined as a*A*c*rfi (a"h*c « 48 | A A c A rf« 32 \ c*ti*a « 16 \ dhcrt>). Following ANSI C 
conventions, " A " is exclusive-or, "I" is binary-or, and "« x M means shift left x bits. Implicitly, the 

20 example herein assumes a word size of 16 bits, however, this is strictly exemplary as any word size 
could be suitably employed by dividing "x" by 16 and multiplying by the desired word size. 

The term "resultant product*' is therefore typically the result of such blending of a plurality of 
products. Looking at the resultant product, it substantially retains the benefits of modulo 
multiplication using the common definition of multiplication. 

25 In another embodiment of the method of the present invention, a form of multiplication can be 
understood to be the operation on a. b defined by a*b wherein the variable lewer is assigned the 
lower half of the product and the variable upper half of the product. The result shall he a linear 
combination of upper \ and lower for example for constants el, c2: cJ*vpper+c2* lower. Alternatively, 
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understand linear combination to be c]* upper exclusive-or c 2* lower 7 as well as substantially similar 
constructions. 

When present in a Feistel structure, a key-inserter may use any Form of multiplication desired. The 
term "key-inserter" is not intended to be used where the form of multiplication is multiplication 
5 modulo 65537 to form a first product followed by addition modulo 65536 using that product 
followed by multiplication modulo 65537 to form a second product followed by addition modulo 
65536 between the first and second products. 

When employing a multiplier, an exception is treating a one or more input values distinctly. An 
non-exclusive indicator of exceptions are conditional constructions in programming languages. A 
10 logarithmic number of exceptions is a limited number of conditional constructions, for example, less 
than 16 for the field modulo 65537. 

If the length of each integer is 8 bits and if multiplication over a ring is employed then the ring 
may, for example, be modulo 257 wherein 0 is considered to be -1. If the length of each integer is 16 
bits and if multiplication over a ring is employed then the ring may, for example, be modulo 65537 

13 wnefein U IS CUnsiUCreu lO Dc - i . n i^ugwi ui cavii nuclei jz. uita anu n uiuuipnvauUn OvCi a hhj ib 

employed then modulus of the ring is typically slightly in excess of 2 32 . 

Optionally, justification for broadening definition of a form of multiplication to include variant 
forms is due to mathematical fact that multiplication modulo 2 A n+l can be calculated in such a linear 
combination maimer with subtraction used suitably to yield correct identity in linear combination. 
20 Alternatively, a form of multiplication is understood to include multiplication over a ring. 

Alternatively, a form of multiplication is understood in the algebraic sense thus an operation on 
two arguments yielding a third. Clearly, addition or exponentiation is understood in algebraic context 
to be a form of multiplication. Thus, language such as performing a round function employing a 
form of multiplication is understood to include employing common addition, addition with carry 
25 discarded, common multiplication and common multiplication with carry discarded, and others. 

For example, employing a key insertion operation of a form of multiplication within DES, would 
describe add-DES wherein addition is substituted for exclusive-or in the round function. Use of non- 
symmetric operations such as subtraction, or division are herein considered to be a form of 
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multiplication. In an embodiment of the present invention, division over a field is accomplished by 
finding the multiplicative inverse, followed by standard multiplication over the field. 

An advantage and object of the present invention is achieving a product which benefits from the 
long-range effects of cany present in multiplication together with the preservation of hamming 
5 weight independence provided by exclusive-or. An alternative form of multiplication in which zero is 
treated as negative one, is believed alternative to a preferred definition of the form of multiplication. 
Through experimental work, the alternative form of multiplication was shown to have so-called 
"weak keys". Keys with either a high or low Hamming weight would cause less satisfactory results 
using the alternative form. Preferably, the implementation of the above definition of product as a 
10 plurality, yields an additional novel and unobvious way of mixing values in companion executions of 
modified round functions. 

An advantage and object of the present invention is to achieve as thorough mixing of distant bits 
as is possible in modulo multiplication. 

Another advantage of the preferred embodiment of the present invention with a preferred 
15 definition of multiplication is that it allows a pair of such resultant products to be blended. 

FORM OF FOLDING 

A form of folding operates on a pair of double-length results of a form of multiplication to yield a 
single double-length result. A preferred embodiment of the present invention performs exclusive-or 
between the upper half of a first double-length result and the lower half of a second double length 

20 result to yield a first mix. Preferably, in addition exclusive-or is performed between the lower half of 
the first double-length result and the upper half of the second double length result to yield a second 
mix. Further preferably, concatenate the first mix to the second mix to yield a folded result. 

Herein a form of folding includes performing at least one application of an element selected from 
the group consisting of a form of multiplication, a form of folding, and a form of blending. 

25 Folding refers to a wide variety of operations available on computers, typically such operations are 
group operations and occassionally the operations are bit-wise. Folding a single-size portion into a 
companion execution implies application of a group operation between all of the single-size portions 
to be folded in ? yielding a single size result. Typical folding can be addition or exclusive or. 
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Extended folding may involve pseudo-random expansion, perhaps employing a form of 
multiplication, in proximity to application of a group operation. 

An object and advantage of the method of the present invention is to create a pair of outputs 
whose individual bits vary with each of a plurality of inputs. 

Another object of the method of the present invention is to create a pair of outputs wherein 
individual bits vary with each bit of a plurality of inputs. 

Another object and advantage of the method of the present invention is to extend block length of a 
cryptographic primative. 

FORM OF BLENDING 

A form of blending operates on a pair of double-length results of a form of folding or a form of 
multiplication to yield a single double-length result. A preferred embodiment of the present 
invention performs exclusive-or between the upper half of a first double-length result and the lower 
half of a second double length result to yield a first mix. Further perform exclusive-or between the 
lower half of the first double-length result and the upper half of the second double length result to 
yield a second mix. Further, concatenate the first mix to the second mix to yield a blended result. 

Optionally and preferably, an embodiment of the present invention on a pair of double-length 
inputs performs a concatenation of the upper half of a double-length input and the lower half of the 
other double length input to yield a blended result. 

An optionally and preferably, a form of blending operates on a n size_input, yielding a single-size 
result. Optionally, a form of blending operating on a n size input, yielding a single-size output may 
employ a form of multiplication. Further optionally, the form of multiplication employed may be 
exciusivc-or. 

The result of preferably more than one distinct multiplication are combined in a blending 
operation. The blending operation on two arguments a, h returns 32-bit result wherein the upper half 
of the result is the lower half of a. The lower half of the result is the upper half of h. Preferably, the 
blending arguments a and b are chosen so that, when possible, a depends on different plain text 
derived inputs from b. Likewise, for every output of the multiplication it must appear exactly once on 
the left and once on the right arguments of the blend. 
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Thus, each s-box's input depends on a subkey-based pseudo-random expansion of half of the bits 
of the plain text derived input. Moreover, the bits are only 16 bits out of each 32 bit input block. 
Thus, Lhe four s-boxes are two pseudo random expansions of half the input bits and Lwo pseudo 
random expansions of the other half of the bits. For illustrative purposes, the embodiments feature 16 
5 bit word-size, however any suitable word-size would be appropriate. The reader mentally divides 16, 
32 where they appear in the text by 1 6 and multiply by the new word size. 

Blending refers to a wide variety of operations performed with computational devices such as PC 
computers; typically such operations are permutations of bits, An example of an effective blending is 
selecting two groups of 16-bits out of distinct 32-bit quantities. Another example of blending would 
10 be selection of every fourth bit from four quantities. Another example of blending would include a 
plurality of group operations on the selected bits. 

A combiner is a logic curcuit which performs folding or blending as necessary. Combining is 
cither folding or blending as necessary. Combining may also be forming a third permutation which is 
equivalent to a composition of two given permutations. Combining may also be forming a third 
15 mapping equivalent to a composition of two given mappings, for example s-boxes followed by e 
expansion or P permutation followed by E expansion. 

Definitions appearing in this section are hereby extended to include defintions and implicit usage 
elsewhere in lhe text. For example., a form of multiplication, folding, and blending are understood to 
be broadened by descriptions elsewhere in this document and in figures^ 
20 SUMMARY: METHOD AND MACHINE OF PRESENT INVENTION 

The method of the present invention provides symmetric encryption using a form of multiplication 
to accomplish key insertion and allow for extension of block length. 

Reference is made to figure 1. According to a preferred embodiment of the present invention 
there is provided a method for performing a round function of an iterated encryption for a plurality of 
25 32-bit input blocks, the steps of the method being performed by a data processor, the method 

comprising the steps of: numbering the plurality of input blocks from "0" to "n" with an input block 
number; splitting each of lhe plurality ofinput blocks inlo an upper half and a lower half to produce 
plain text-derived input; combining plain text -derived input with a plurality of round-dependent 
subkeys according to a form of multiplication to form a blended product; applying a plurality of s- - 
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boxes of the F function of a DES encryption algorithm to blended product; and applying the P 
permutation of the F function of a DF.S encryption algorithm to output of the s-boxes. An advantage 
and object is that each of the round output bits depends on at least half of the round input bits. 
Another advantage and object is enhancement of resistance to differential cryptanalysis. A number of 
5 failed attempts have been made in the prior an to extend the block length beyond 64-bits. The classic 
failure in the prior art is G-DES. (Documented and broken in fBiSh93].) 

Reference is made to figure 2. A preferred embodiment of the machine of the present invention 
for encrypting comprising: a key-inserter which employs a form of multiplication for key insertion, 
whereby the block length of the encryption can be extended. Thus, localized visible structure is 

10 scrambled, particularly useful when data represents a picture or mobile set of pictures. 

Reference is made to figure 3. Another preferred embodiment of the machine of the present 
invention wherein multiplication occurs in chunks at least as large as single bytes. An object and 
advantage is that the number will fit into common hardware registers. Another object and advantage 
is that the chunk may be chosen to apply over a Fermat field. 

15 Tn the mentioned prefer? nbcduucnt of the machine of the present invention, further wherein 
the individual multiplications are carried out over a Fermat field. An object and advantage of 
multiplication over a field is that the result is known to be a permutation. Another advantage and 
object of multiplication over a field is that for any known output, there exists a key, which will 
transform the output to any desired input value. This property is referred to throughout this text 

20 hereinafter as a "group" operation. An operation with is substantially similar to this group operation 
will be called a "group-like" operation. An object and advantage of a group operation is that the 
output of the multiplication carries no information about the plain text input. 

In the mentioned preferred embodiment of the machine of the present invention, wherein the form 
of multiplication in the key inserter comprises: common multiplication of arguments to yield a 

25 product, designating the upper and lower half of the product, combining the upper half with the lower 
half using exclusive-or to form a final product. An object and advantage of this embodiment is that 
the final product maintains behavior of modulo multiplication wilhouL the clear algebraic structure. 
Another object and advantage of the form of multiplication is enabling folding the result of the form 
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of multiplication with itself or another companion execution. Another object and advantage is that the 
machine can be generalized to more than two arguments. 

In the mentioned preferred embodiment of the machine of the present invention, the form of 
multiplication in the key inserter comprises: common multiplication of arguments to yield a first 
product, common multiplication of other arguments to yield a second product, designating a upper 
and lower half of the first product, designating an upper and lower half of the second product, 
combining the upper half of the first product with the lower half of the second product using 
exclusive-or to form a first final product. Combining the upper half of the second product with the 
lower half of the first product using exclusive-or to form a second final product. An object and 
advantage of the form of multiplication is that the resultant apparatus for folding solves the long-felt 
need for a 128-bit block method. Another advantage of the form of multiplication is that the machine 
can be generalized to more than two arguments. 

In the mentioned preferred embodiment of the machine of the present invention, the form of 
multiplication in the key inserter comprises: circuits to perform multiplication on a plurality of 
arguments to form a first product, "Logic circuits perform exclusive-or on the plurality of arguments 
to form a second product. Logic circuits to perform addition between the first product and the 
second product to form a gorilla product. An advantage of the form of multiplication is that the result 
is a pseudo-random expansion ofone of Lhe arguments. An object of the form of multiplication is thaL 
it enables folding the result of the form of multiplication with itself or another companion execution. 
Another advantage of the form of multiplication is that the machine can be generalized to more than 
two arguments. A preferred embodiment of the folding machine of the present invention wherein the 
gorilla product is provided to a machine comprising: a counter which counts the plurality of 
arguments, calling it n. A repeater provides a new set of arguments and calculates n gorilla products. 
A splitter which divides each gorilla product into n pieces, each with index / from L.n. A combiner 
which combines using exclusive-or n pieces such that the combine will take exactly one piece from 
each gorilla product, and exactly one piece of any gorilla product with the index i for all L The 
combiner yields a plurality of/2 folded products. A preferred embodiment of the machine of the 
present invention, wherein the form of multiplication in the key inserter comprises: (a*b) ' (a 
exclusive-or b), whereby the result is a pseudo-random expansion of one of the arguments. 
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Another preferred embodiment of the method of the present invention for operating a general 
purpose data processor of known type to enable data processor to encrypt comprising: employing an 
operation on two inputs yielding a double- size result, folding half of result into a companion 
execution. An advantage and object is that a shorter input length keyed hash function can be built. 

5 Another advantage is that pass phrases can be processed without excessive padding. 

Reference is made to figure 4. A preferred embodiment of the method of the present invention for 
constructing a key schedule for an encryption algorithm, the steps of the method being performed by 
a data processor, the method comprising the steps of; determining a first set of at least one subkey for 
the encryption algorithm; encrypting a master, key according to the encryption algorithm by using first 

10 set of at least one subkey to product a cipher text, repeating the encryption of the master key for at 
least a first number of rounds required to achieve dependence of every bit of cipher text on each bit 
of master key; continuing the encryption of the master key for an integral number of rounds, integral 
number being at least one, extracting subkeys from the output of the round, further continuing the 
encryption of the master key and extraction of subkeys until a second set of subkeys has been 

15 generated. An advantage and object is that the key schedule solves the need for an expandable, 
generalizable, fast, user defined speed, well-mixed key schedule. 

A preferred embodiment of the method of the present invention wherein the first set of at least one 
subkey is derived from DES s-box entries. 

A preferred embodiment of the method of the present invention wherein the second set of at least 

20 one subkey is derived from the output of the round function in the encryption algorithm. 

A preferred embodiment of the method of the present invention further comprising the steps of: 
encrypting the cipher text with the second set of at least one subkey according to the encryption 
algorithm to produce further encrypted cipher text, with the object and advantage of creating a third 
set of subkeys for use in encryption of actual plain text. 

25 Reference is made to figure 5. Another preferred embodiment of the machine of the present 

invention for encrypting comprising: circuits which employ at least a 128-bit key and block size. An 
object and advantage is that the machine is suitable as a hash function. An additional advantage is 
employing the current invention instead of a human needing to provide and debug a distinct, less well 
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understood specialized hash. An unexpected result is that every bit of key and every bit of plain text 
cause every single bit of the resultant cipher text to become unpredictable. 

Another preferred embodiment of the machine of the present invention for encrypting further 
comprising the circuits providing the large key size are implemented by using the circuits providing a 
5 large block size. An advantage is that the machine key schedule can be accomplished in zero 
additional time. An object is that the machine mixes rapidly over the entire block size. Another 
advantage is the generality of the key schedule which provides a rapid key schedule design ready for 
new ciphers. 

.Another preferred embodiment of the machine of the present invention for encrypting further 
10 comprising an optimal sorting network. An advantage of employing an optimal sorting network is to 
ensure complete mixing within each round. An object of employing the generalized construction of 
! optimal sorting methods allows the machine to be exLended to arbitrary sizes. An advantage of 

accomplishing extension of block size to arbitrary sizes allows larger proportions of the output to be 
disclosed together, yet reversal of the whole process remains difficult. 
15 Reference is made to figure 6. Another preferred embodiment of the method of the present 

invention for operating a general purpose data processor of known type to enable data processor to 

i 

| encrypt employing a key schedule comprising: feeding the full set of 64 key bits per block into a 

I rearranged PC2 from DES. An object of feeding the lull 64 bits per block into a rearranged PC2 from 

DHS is that all of the key bits provided by the user are employed. An advantage of employing all of 
20 the key bits is that exhaustive search on such a modified method would require guessing the full 64 
bits. For a number of years, attempts have failed to generate an accepted key schedule that solves the 
long-felt need for using the all the bits in the mastcrkcy. 

Another preferred embodiment of the method of the present invention for operating a general 
purpose data processor of known type to enable data processor to encrypt employing a key schedule 
25 further comprising: entries of PC2 with values above 28 have four added to them. An object of 
; adding four to values above 28 is that a schedule will be balanced left and right halves. An advantage 

! of a selected key table (see specifically figure 10, table I) is that round subkey bils depend equally on 

any given master key bit 
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Another preferred embodiment of the method of the present invention for operating a general 
purpose data processor of known type to enable data processor to encrypt employing a key schedule 
further comprising: ihe key schedule rotation is earned out 64 bits at a time rather than in two groups 
of 32 each, with an advantage of eliminating the distinction between two halves present in the prior 

5 art. An object is an eavesdropper would find it more difficult to isolate parts of a key. 

Another preferred embodiment of the method of the present invention for operating a general 
purpose data processor of known type to enable data processor to encrypt employing a key schedule 
further comprising; the subkey is made dependent on the serial number of the parallel execution, with 
an advantage that even if masterkey repeats exactly that subkeys will not. An object of causing 

10 output from a system with a repeated master key and repeated data to be distinct, causes the typical 
demonstration of a product built according to the method would be more pleasant to humans. 

Another preferred embodiment of the method of the present invention for operating a general 
purpose data processor of known type to enable data processor to encrypt employing a key schedule 
further comprising: the subkey used is derived from finding a multiplicative inverse over a field, with 

15 an advantage that the key insertion operation becomes thereby modulo di vision. An object of modulo 
division is that such a key insertion operation is no longer argument order insensitive. An advantage 
of the order sensitivity is that interchanging plain text and master key give different results, even for a 
key insertion operation. 

Another preferred embodiment of the method of the present invention for operating a general 

20 purpose data processor of known type to enable data processor to encrypt employing a key schedule 
further comprising: the zero sub key is replaced by a round dependent mask value. An advantage of 
using a round dependent mask is that weak keys arc replaced with arbitrary and better values. An 
object of employing a round dependent mask value is that the typically demonstrated zero master key 
provides a decent mixing function. 

25 Reference is made to figure 7. Another preferred and optional embodiment of the method of the 
present invention described in figure 1, wherein the form of multiplication features the steps of: 
multiplying a plurality of bits from the plain text-derived input and a plurality of bits from the plurality 
of round -dependent sub keys to form a common multiplication product; performing an cxclusivc-or 
function on a plurality of bits from the plain text-derived input and a plurality of bits from the 
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plurality of round-dependent sub keys to form a balanced product. The step of combining the plain 
text-derived input with a plurality of round-dependent sub keys farther comprises the steps of: 
performing-an addition function on the common multiplication producL and the balanced product to 
form a pseudo-random product. The step of combining the plain text-derived input with a plurality of 

5 round-dependent sub keys further comprises the steps of performing a thorough folding operation on 
two pseudo-random products as follows: fold the upper half of the first pseudo random product into 
the lower half of the second pseudo random product to form first result, fold the lower half of the 
first pseudo random product into the upper half of the second pseudo random product to form 
second result. Concatenate first result to second result to form a folded product. An advantage of 

to these or equivalent steps is that all the bits of each of the products depends heavily on both plain text- 
derived inputs and both round-dependent sub keys. The step of combining the plain text-derived 
input with a plurality of round-dependent sub keys further comprises the steps of performing a 
blending operation on two folded products as follows: concatenate lower half of the first folded 
product with upper half of second folded product to form a blended product, optionally and 

15 preferably, fold operation is exclusive-or. An object is an input to a plurality of distinct s-boxes 

depends on four plain text derived inputs and four corresponding round-dependent sub keys; These 
advantages and objects have many alternative descriptions, any description with similar results is 
sufficient. The descriptions provided herein are strictly exemplary. 

Reference is made to figure 8. An alternative embodiment of the machine of the present invention 

20 employs a, extended P Permutation machine comprising a local scrambling operation and a 

permutation distributing bits from output of a given local scrambler to input of other local scramblers. 

An extended P permutation is defined as a permutation on groups of s-boxes wherein the orbital 
property is preserved between (and within) the groups of s-boxes. Where the orbital property is not 
possible, because the number of outputs is limited, an extended P permutation will distribute the 

25 output bits evenly, balancing value of public bits against private bits to break symmetry. Public bits 
are those repeated by the E expansion. A machine for data scrambling comprising a local scrambling 
operation and a permutation distributing bits from output ofa given local scrambler to input of other 
local scramblers, comprising: a local scrambler P which distributes four outputs among eight possible 
boxes, and a global scrambler PP which distributes a plurality of outputs among groups of possible 
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s-boxes to effect an extended P permutation. Optionally and alternatively, a known permutation is 
used within each scrambler, further comprising: wires which interconnect the output of a given 
scrambler with inputs oP other scramblers. Optionally and alternatively, known permutation is the 
prior art F permutation from D£S. 
5 Reference is made to figure 9, A preferred embodiment of the method of the present invention for 
implementing substitution boxes in logic gates on a 32-bit microprocessor. An advantage of 
employing a 32-bit processor is that the method is applicable to Intel compatible microprocessors. 

Another preferred embodiment of the method of the present invention wherein the plurality of s- 
boxes are applied in bit-slice form using logic gates. An object and advantage is that a physical 

10 apparatus can be easily built and speed gains achieved. 

A preferred embodiment of the machine of the present invention wherein the encrypting is 
implemented by bit-slicing circuits. An advantage is thereby providing a design for a physical 
apparatus of logic gates. An object is the machine can be implemented with fivefold speed gains. 
Reference is made to figure 10. A preferred embodiment of the method of the present invention 

1 j for operating a general purpose data processor of known type to enable the data processor to encrypt 
comprising: employing masks in which the mask used depends on information available within the 
round function selected from the group consisting of round number and data being encrypted, with an 
advantage that a repeated plain text-derived-input sub key pairs will still permit the round function to 
generate distinct output. An object is to correctly treat a master key with-repeated segments useful 

20 to verify the functionality of the method. 

Another preferred embodiment of the method of the present invention, optionally and preferably 
further comprising the step of performing a combining operation on the plurality of input blocks with 
a mask determined according to a criteria selected from the group of a number of a round being 
performed and the input block number. 

25 A preferred embodiment of the machine of the present invention for encrypting plain text-derived- 
input comprising: a memory providing the s-boxes of DES as numbers a logic circuit which combines 
the number?; on a bit-by-bit basis with limited cany into the stream of the plain texl-derived-input. 
Exclusivc-or is a group-like operation relative to Hamming weights. Given one input with a given 
Hamming weight, it is always possible to find a second input such that the output Hamming weight 
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will be that desired. If one of the arguments has a balanced Hamming weight, approximately equal 
number of zeros and ones, and the other argument has an unbalanced Hamming weight, mostly zeros 
or mostly ones, the result will usually be more balanced than the second argument. Thus, an 
advantage is that Hamming weights plain text derived input which tend toward unbalanced hamming 
5 weights will have that tendency corrected. An object of corrected unbalanced input is to allow 
providing plain text with redundancy. 

Reference is made to figure 11. A preferred embodiment of the machine of the present invention 
for an operation selected from the group of hashing machine and encryptor wherein a plain text and a 
plurality of sub keys are employed as new sub key generators to generate new sub keys, whereby the 
10 new sub keys are employed to process future plain texts. 

One embodiment of the method of the present invention seeks to provide improved methods for 
DES encryption. IL being understood thai an interalive block cipher could be used in place of DES. 

It being further understood that any cryptographic primitive could be used to replace DES in the 
description and claims. Moreover, whereever addition or multiplication are used in the claims, it is 
15 illustrative being that either could be replaced by at least one operation selected from the group 
consisting of a form of multiplication, blending, folding and combining. 

Reference is made to figures 20-26. There is thus provided, in accordance with a preferred 
embodiment of the present invention, a method for protecting confidentiality of information written 
on a notebook computer the method comprising: protecting a plurality of files on an automatic file- 
20 by-file basis, wherein protection of each individual file includes the following steps: using a 

symmetric crypto system to encrypt the individual file, thereby to generate an encrypted individual file; 
and storing the encrypted individual file on the notebook computer. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
method for protecting confidentiality of information written on a hard disk, the method comprising: 
25 using a first symmetric cryptosystem to encrypt a file having a selectably known file key; and 

encrypting the selectably known file key using a second symmetric cryptosystem and a selectably 
known master key derived from a selectably known pass phrase using a cryptographically strong hash 
function. 
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Further in accordance with another preferred embodiment of the present invention is a method 
comprising the following steps; decrypting the selectably known file key using the second symmetric 
cryptosystem and the selectably known masterkey; and decrypting the file using the selectably known 
file key and the first symmetric cryptosystem. Further in accordance with another preferred 

5 embodiment of the present invention is a method in which the cryptographically strong hash 
function comprises a MAC (message authentication code). 

Reference is made to figures 27-36. There is thus provided, in accordance with a preferred 
embodiment of the present invention, a DES encryption method including performing N DES 
rounds, including, for at least one 1 < ssi n< iBs N, performing an n'th DES round on a sub key and a plain 

10 text derived input to the n T th round wherein addition is substituted for exclusive-or in performing the 
n'th DES round, wherein a sub key is defined for each of the N rounds and wherein at least some of 
the N sub keys are dependent.. 

Further, in accordance with a preferred embodiment of the present invention, all of the N sub 
keys are derived from a standard key schedule. Still further in accordance with a preferred 

15 embodiment of the present invention the plain text derived input to the n'th round (n>l) comprises an 
output of a round previous to the n'th round. Additionally, in accordance with a preferred 
embodiment of the present invention, the plain text derived input to the first round comprises at least 
a portion of the plain text. 

Also provided, in accordance with another preferred embodiment of the present invention, is a 

20 DES encryption method including performing N>16 rounds, including for at least one 1 <- n <= N, 
performing an n'th DES round on a sub key and a plain text derived input to the n'th round wherein 
addition is substituted for exclusive-or in performing the nth DES round. 

Also provided, in accordance with another preferred embodiment of the present invention, is a 
DES encryption system including an addition-based DES encryptor operative to perform N DES 

25 rounds including, for at least one l<=n<=N, performing an n'th DES round on a sub key and a plain 
text derived input to the n'th round wherein addition rather than exclusive-or is used to perform the 
n'th DES round, wherein a sub key is defined lor each of the N rounds and wherein al least some of 
the N sub keys are dependent. Further in accordance with a preferred embodiment of the present 
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invention, the step of performing N DES rounds comprises performing a bit-slice implementation of 
DES. 

Also provided, in accordance with another preferred embodiment of the present invention, is a 
DES encryption method comprising: performing N DES rounds, including, for at least one 1<= n <= 
5 N, performing an n'th DES round on a sub key and a plain-text derived input to the n'th round, 

wherein the step of performing N DES rounds comprises using a personal computer to perform a bit- 
slice implementation of DES. Further in accordance with a preferred embodiment of the present 
invention, the personal computer has at least one register which is 32-bits long. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

10 DES encryption method comprising: performing N DES rounds, including, for at least one 1 <= n <= 
N, performing an n'th DES round on a sub key and a plain text derived input to the n'th round, 
wherein the step of performing N DES rounds comprises using a computer having registers whose 
size is less than 64 bits to perform bit-slice implementation of DES. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

15 DES encryption method comprising; computing a sub key for each of N DES rounds, at least some 
of the N sub keys being dependent, by combining a plurality of key to sub key operations into a single 
key to sub key operation on a DES key, thereby to provide a sub key; and performing N DES rounds. 
Further in accordance with a preferred embodiment of the present invention, for at least one 
l<=n<=N, the step of combining a plurality of key-to-sub key operations thereby to obtain an (n+l)th 

20 sub key, is performed before the (n+l)th round is performed. Further in accordance with a preferred 
embodiment of the present invention, for at least one l< s =n<=N, the step of combining a plurality of 
kcy-to-sub key operations thereby to obtain an (n i l)th sub key is performed before the n'th round is 
performed. Further in accordance with a preferred embodiment of the present invention, for at least 
one l<=n<=N, the step of combining a plurality of key-to-sub key operations thereby to obtain an 

25 (n+ l)th sub key is performed before the n'th sub key is used. Further in accordance with a preferred 
embodiment of the present invention, for at least one l<=n<=N, the step of combining a plurality of 
key-to-sub key operations thereby to obtain an (n+I)lh sub key is performed before completing Lhe 
use of the n'th sub key. 
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Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption method comprising: using first and second permutations and a mapping to perform 
each of N DES rounds, wherein the first permutation includes a left half of L* and a right half R* 
and wherein L* comprises a composition of an inverse P permutation and a left half. L, of an initial 

5 permutation, and wherein R + , comprises a composition of the inverse P permutation and a right half, 
R, of the initial permutation, wherein the second permutation includes a left half of L** and a right 
half R** and wherein L** comprises a composition of the P permutation and a left half of the final 
permutation., and R" comprises a composition of the P permutation and a right half of the final 
permutation, and, wherein the mapping comprises a composition of the T> permutation with an E 

10 expansion. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption method comprising: performing N DES rounds, including, for at least one t<=n<=N, 
performing an n'th DES round on a sub key and a plain text derived input to the n'th round wherein 
addition is substituted for exclusive-or in performing the n ? thDES round, wherein the step of 

Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption method comprising: performing N DES rounds, including, for at least one 
K^ots^ generating an n'th k-bit s-box input by performing an n'th DES round on a k-bit sub key 
and a k-bit plain text derived input to the n'th round wherein multiplication in which any cany 

20 beyond k bits is discarded, is substituted for exclusive-or in performing the n'th DES round. Further 
in accordance with a preferred embodiment of the present invention, all of the N sub keys are derived 
from a standard key schedule. i-urthcr in accordance with a preferred embodiment of the present 
invention, the plain-text derived input to the n'th round (n>l) comprises an output of a round 
previous to the n'th round. Further in accordance with a preferred embodiment of the present 

25 invention, the plain text derived input to the first round comprises at least a portion of the plain text. 
Further in accordance with a preferred embodiment of the present invention, N>16. 

Also provided, in accordance wuh another preferred embodiment of the present invention is a 
DES encryption system comprising: a DES encryptor operative to perform JN>I6 DES rounds, 
including, for at least one 1<= n <=H performing an n'th DES round on a sub key and a plain text 
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derived input to the n'th round wherein addition is substituted for exclusive-or in performing the n'th 
DFS round. Further in accordance with a preferred embodiment of the present invention, the step of 
performing an n'Lh DES round comprises performing a bit-slice DES round. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
5 DES encryption method comprising: performing N DES rounds, including, for at least one l<=n 
<-N, performing an n'th DES round on a sub key and a plain text derived input to the n'th round 
wherein addition is substituted for exclusive-or in performing the n'th DES round, wherein the step 
of performing N DES rounds comprises performing a bit-slice implementation of DFS. Further in 
accordance with a preferred embodiment of the present invention, wherein a sub key is defined for 

10 each of the N rounds and wherein at least some of the N sub keys are dependent. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
WDES encryption method comprising: performing a plurality of rounds of WDES encryption each 
round using a round function F; wherein, for the round function F of a t least one round, addition, 
with final carry neglected is substituted for exclusive or. 

15 Also provided, in accordance with another preferred embodiment of the present invention is a 
WDES encryption method comprising: performing a plurality of rounds of WDES encryption each 
round using a round function F; wherein, for the round function F of at least one round, a form of 
multiplication is substituted for exclusive-or. 

Also provided, in accordance with another preferred embodiment ofthe present invention is a 

20 DES encryption method comprising: performing N DES rounds, including for at least one ]<=n <=N, 
generating an n'th k-bit s-box input by performing an n'th DES round on a k-bit sub key and a k-bit 
plain text derived input to the n'th round wherein multiplication, performed over a ring, is substituted 
for exclusive-or in performing the n'th DES round. Further in accordance with a preferred 
embodiment ofthe present invention, herein the multiplication over a ring comprises multiplication 

25 over a finite field. Further in accordance with a preferred embodiment ofthe present invention, 
wherein the ring has a modulus and the modulus is a product of less than 5 primes. Further in 
accordance will) a preferred embodiment ofthe present invention, wherein the ring has a modulus and 
the modulus is a product of less than 4 primes. Further in accordance with a preferred embodiment 
of the present invention, the ring has a modulus and the modulus is a product of 2 primes. Further in 
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modulus is prime. Further in accordance with a preferred embodiment of the present invention, the 
ring has a modulus and the modulus comprises a producl of a plurality of primes at leasL one of which 
slightly exceeds an exponent of 256. Further in accordance with a preferred embodiment of the 
5 present invention, the ring has a modulus and the modulus comprises a product of a plurality of 
primes at least one of which slightly exceeds an exponent of 65536 such as 65536 or 2 32 or 2 48 or 
2 M . Further in accordance with a preferred embodiment of the present invention, the ring has a 
modulus and the modulus comprises a product of a plurality of primes at least one of which slightly 
less than an exponent of 256. Further in accordance with a preferred embodiment of the present 
10 invention, wherein the ring has a modulus and the modulus comprises a product of a plurality of 
primes at least one of which slightly less than an exponent of 65536 such as 65536 or 2* 2 or 2 48 or 

Also provided, in accordance with another preferred embodiment of the present invention is a 
WDES encryption method comprising: performing a plurality of rounds of WDES encryption, each 
15 using a round function F; wherein, for the round function F of at least one round, multiplication over 
a ring is substituted for exclusive or. Further in accordance with a preferred embodiment of the 
present invention, the step of performing an n'th DES round comprises performing a bit-slice DES 
round. 

Also provided,, in accordance with another preferred embodiment otthe present invention is a 
20 DES encryption system comprising: a DES encryptor for performing N>16 DES rounds, including, 
for at least one 1<- n<-N t an addition-based DES engine operative to perform an n'th DES round 
on a sub key and a plain text derived input to the n'th round wherein addition rather than exclusive or 
is sued to perform the n'th DES round. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
25 DES encryption system comprising: a DES encryptor for performing N DES rounds, including, for at 
least one l<=n<=N, a DES engine operative to perform an n*th DES round on a sub key and a plain 
lexl derived input to the n'lh round; and a computer having regisiers whose size is less than 64 bits, 
wherein the DES encryptor is configured to perform the N DES round including performing a bit- 
slice implementation of DES while running on the computer. 
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Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption system comprising: a sub key computation engine operative to compute a sub key 
for each of N DES rounds, at least some of the N sub keys being dependent, the sub key computation 
engine including a single key-to-sub key operator performing a combination of a plurality of key-to- 
5 sub key operations as a single key-to-sub key operation and performing the single key-to-sub key 
operation on a DES key, thereby to provide a sub key; and a DES engine operative to perform N 
DliS rounds using the N sub keys. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
DES encryption system comprising: a DES enciyptor using first and second permutations and a 
10 mapping to perform each of N DES rounds, the DES encryptor comprising: a first permutation 

provider providing the first permutation which includes a left half L* and a right half R* and wherein 
j L* comprises a composition of an inverse P permutation and a left half L of an initial permutation, 

| and wherein R* comprises a composition of an inverse P permutation and a right half R of an initial 

permutation, a second permutation provider providing the first permutation which includes a left half 
15 L** and aright half R** wherein L** comprises a composition of the P permutation and a left half L 
of a final permutation, and wherein R** comprises a composition of the P permutation and a right 
half R of a final permutation, and a mapping provider providing the mapping which comprises a 
composition of the P permutation and the E expansion. 

Also provided, in accordance with another preferred embodiment of the present invention is a 
i 20 DES encryption system comprising: a DES encryptor operative to perform N DES rounds, including 

an addition-based DES engine performing, for at least one 1 <=n<~N, an n'th DES round on a sub 
key and a plain-text derived input to the n'th round wherein addition rather than exclusive or is used 
in performing the n'th DES round, wherein the N DES rounds are performed by performing a bit- 
slice implementation of DES. 
j 25 Also provided, in accordance with another preferred embodiment of the present invention is a 

| DES encryption system comprising: a DES encryptor operative to perform N DES rounds, including 

j an s-box input provider operative to provide for at least one l<— n<— N an n'th k-bit s-box input by 

' performing an n'th DES round on an k-bit sub key and a k-bit plain text derived input to the n'th 
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round wherein multiplication with any carry beyond k bits is discarded., is used, rather than using 

exclusive or in performing the n'th DES round. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

DES encryption system comprising: a DES encryptor operative to perform N DES rounds, including 
5 an addition-based DES engine operative, for at least one l<=n<=N, to perform an n'th DES round 

on a sub key and a plain text-derived-input to the n'th round wherein addition rather than exclusive 

or is used in performing a bit-slice implementation of DES. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

WDES encryption system comprising: a WDES encryptor operative to perform a plurality of rounds 
10 of WDES encryption, each round using a round function F, the WDES encryptor including an 

addition-based WDES engine operative for the round function F the WDES encryptor of at least one 

round lo perform addition wilh final carry neglected raiher than performing exclusive or. 

Also provided, in accordance with another preferred embodiment of the present invention is a 

WDES encryption system comprising: a WDES encryptor operative to perform a plurality of rounds 
15 of WDES encryption, each round using a round function F, the WDES encryptor including a 

common multiplication-based WDES engine operative for the round function F of at least one round 

to perform common multiplication with final carry neglected rather than performing exclusive-or. 
Also provided, in accordance with another preferred embodiment of the present invention is a 

DES encryption system comprising: a DES encryptor operative to perform N DES rounds, the DES 
20 encryptor including, for at least one l<=n<=H an s-box input provider operative to provide an n'th 

k-bit s-box input by performing an n'th DES round on a k-bit sub key and a k-bit plain text derived 

input to the n'th round wherein the n'th DES round includes performing multiplication over a ring 

rather than performing exclusive-or. 

It is appreciated that the number of bits used to store any of the various quantities shown and 
25 described herein need not necessarily be exactly as described herein. Typically, the multiplicative ratio 

between the various number of bits used to store various quantities within a particular method, 

remains constant even if the quantities themselves are varied. 

DESCRIPTION OF AN EMBODIMENT OE INVENTION: MDLT1DES 
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A personal computer refers to a wide variety of computers whose architecture is similar to the 
IBM PC architecture. The term "personal computer" is not intended to include minicomputers such 
as a DEC-Alpha. 

The term "bit-slice DES" refers to the encryption methods shown and suggested in Biham, E v "A 
5 fast new DES implementation in software," Proceedings of Fast Software Encryption Workshop, 
Springer- Verlag, January 1997, and to known equivalents of the methods shown and suggested by E. 
Biham. 

BASIC- KEY INSERTION OPERATION 

Figure"*! 4, explained in more detail later, is an exemplary illustration of a preferred embodiment 
10 which explains how to make and use an internal round function portion of the method of the present 
j invention. Expansion, s-boxes and P-permutation are as appearing in prior art DES. One object of the 

i method of the present invention is to overcome weaknesses in prior art DES which caused it to 

succumb to differential cryptanalysis. 

Since the introduction of the prior art Data Encryption Standard, there has been interest in its 
15 strength and design criteria. With the discovery of prior art differential cryptanalysis the optimality of 
j certain aspects of the design became apparent. Central weaknesses of the prior art include bit-wise 

j* independent operations and use of involution for key insertion. In proposing any cipher, the burden 

lies with the authors to show that it withstands these now classical attacks well. 

Upon a close reading of the results of Biham-Shamir [BiSh93] and extensive analysis, it became 
20 clear that the bit-wise involution for combining the subkey inside the F function was not a feature that 
strengthened the cipher. 

The inventor discovered that these two alternative attributes (a) bit-wise and (b) involution were 
responsible for the success and simplicity of differential cryptanalysis. (Furocrypt *9R: Properties of 
DES that facilitate Differential Cryptanalysis, Stiebel, J.) 
! ■ 25 The prior art is vulnerable because of use of bit-wise involution. The bit-wise aspect allowed for 

commutativity between the permutations and the key-insertion operation. Likewise, differential 
1 cryptanalysis is able to effectively "ignore" the E expansion and P permutation. 

Differential cryptanalysis deals with the question of how to overcome the S substitution boxes 
using input exclusive-or, probability and output exclusive-or. 
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The use of the involution enables canceling the effect of the round-key. 

Preferably, replacement of a bit-wise operation such as exclusive-or with a group operation such 
as a form of multiplication, optionally over a ring or field, enhances the cryptographic strength of the 
cipher. 

5 The existing F function used in the round is documented in the prior art DES patent. The 

operations used in the prior art F function are E expansion, key insertion with exclusive-or, s-box 
calculation, followed by P permutation. (Sec Tables 11, 111, and IV below.) 
KEY INSERTION OPERATION 

Reference is made to figures 1, and 2. Figure 2 is an exemplary illustration of a preferred 
10 embodiment which explains how to make and use the key insertion portion of the method of the 

present invention. Preferably, a form of multiplication chosen will be the common product of the two 
arguments plus exclusive or of the arguments. Optionally, modulo multiplication employs over a 
Fermat field. Preferably and optionally,, an embodiment of the method of the present invention defines 
the form of multiplication to be common multiplication with upper and lower halves folded together. 
15 Preferably and optionally, an embodiment of the method of the present invention defines the form of 
multiplication to be common multiplication with an upper folded into a lower half of a companion 
execution of the method. Preferably and optionally, the method of the current invention is employed 
in a bit-slice implementation of the s-boxes. 

Exclusive-or is a bit-wise involutioa Exclusive-or is a simpler operation which can model 
20 addition. Not only is exclusive-or commutative (unlike subtraction), but it is also self-canceling. 

Although exclusive-or causes every bit of the output to depend on bits of each argument to the 
cxclusivc-or, the effect is extremely localized. It depends on exactly ONE bit of each of the 
arguments. 

This characteristic of bit-wise operation allows exclusive-or, as well as by extension the input 
25 exclusive-or used for differential ciyptanalysis to commute with the P Permutation and E Expansion 
found in DES. 

Thus, P Permutation is typically combined, with the E Expansion of the following round. 
Optionally, the P Permutation is combined with the s-boxes. More interestingly, the E Expansion 
is combined with the s-boxes of the current round (not the previous round). 
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In the method of the present invention, the optimizations of combining the E Expansion with the 
previous or current round are no longer equivalent. Hence, in the preferred embodiment of the 
method of the present invention MultiDES, perform the E Expansion after the multiplication and 
folding. In an alternative embodiment of the method of the present invention as exemplified by 
5 MultiDES based systems with bit-slice implementation, perform the E Expansion prior to the 
multiplication and folding. 

For example, an operation that approximates a group is preferred. This property means given an 
output, for any given input specified for argument A, there exists an argument B such that A <group- 
operation> B is the output. 
10 Alternatively, the operation should not be an involution (self-canceling). The weakness of such a 
property is well known. This holds even if the involution is exclusive-or with a completely unknown 
random siring. 

CRYPTOBOX, PLURALITY-SIZE RESULT 

Reference is made to figures 1 and 3. A cryptographic primative refers to a wide variety of 
15 operations whose goals or methods are similar to hashing, encrypting, decrypting, digital signatures, 
key generation, substitution, permutation or identification, hereinafter referred to as an encryption 
method. A cryptographic processor is a machine which performs a cryptographic primative, 
hereinafter referred to as a "cryptobox." Although, for clarity, the method of the present invention is 
described alternately as a hash, as an encryption function, and as a key-generation mechanism, it is 
20 understood by one skilled in the art that such choice of description in the case of the present 

invention is strictly illustrative and in no means meant to be limiting to one form of cryptographic 
primative or another. 

A plurality of inputs designates at least one input. A plurality size result is a result of size 
equavalent to concatenation of the plurality of inputs. A single size portion is size of a single input. 
25 For example, let the plurality be two. Thus, a double-size input yields a double-size result. One 
half of the result is a single-size portion. Alternatively, let the plurality be three. Thus, a triple-size 
input yields a triple-size result. One third of the result is a single-size portion. Let the plurality, 
hereinafter, be any natural number. 
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A companion execution refers either to a parallel execution of an embodiment of the invention or 
to its own execution. Tn cases wherein there is only one execution it refers to that execution. 
STRENGTHENING KEYS and PI JIN TEXTS: MASKS 

Reference is made 10 figures 1 and 10. Tn Lhe preferred embodiment of the method of the presenl 
5 invention, to prevent identical plain text inputs together with identical subkeys from yielding identical 

round-end cipher text, introduce an exclusive-or mask with a constant value which is evenly balanced 

zeros and ones. The exclusive-or mask is typically depending on up to two elements selected from the 

set of the round number and block number. The round number is the cardinal number of the round. 

The block number is the cardinal number of the basic half block unit size such as 32 bits. Typically, 
io this is done prior to the key insertion operation. Alternatively, the exclusive-or mask is employed 

adjacent to s-box application. 

In the preferred embodiment of the method of the present invention, keys or plain texts whose 

Hamming weight tends towards maximum or minimum possible for given key or block size may have 

incomplete mixing properties when using a common or modular multiplication operation. Preferably, 
15 to ensure more thorough mixing and a piain text or key independent preservation of entropy entering 

the round, the traditional exclusive-or of the subkey and the plain text derived input is added to the 

product of the subkey and the plain text derived input. 

Reference is made to figure 1. The method of the present invention whose different embodiments 

are MulliDES based systems and MulliDES based systems with bit-slice implementation share steps: 
20 0. Optionally, number the 32-bit input blocks 0..n; split each block into upper and lower halves. 

(This step is strictly for notation.) This is box 1 10 in figure 1 . 

Preferably, output of the optional step (continue to call it "plain text derived input"), or of the 

plain text derived input directly, is combined with round-number dependent subkeys. Preferably, each 

piece of the plain text derived input is used exactly once. 
25 1. Optionally, cxclusivc-or plain text derived input with round and input block number dependent 

mask. In the preferred embodiment of the method of the current invention, derive the mask from the 

s-boxes as shown in (figure 10, described below). This step is optional. This is box 120 in figure 1 . 
2. Preferably, employ a form of multiplication to combine plain text derived input (output from 

step 0 or 1) with round dependent subkeys. The form of multiplication used in the preferred 
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embodiment includes common multiplication of the two arguments plus exclusive-or of the two 
arguments. This is box 130 in figure 1 . 

3. Preferably, fold the result of two multiplications together. The form of folding used in the 
preferred embodiment is exclusive-or upper half of one multiplication with the lower half of the other. 

5 Concatenate the results to form a full-size number. This is box 140 in figure 1 . 

4. Preferably, blend the result of the previous folding to effect folding of four distinct 
multiplications together. The form of blending used in the preferred embodiment is the concatenation 
of the lower half of the first argument with the upper half of the second argument. This is box 1 50 in 
figure 1. 

10 Preferably, after blending two products, for example, blend(a,&), then blend the same two 
products again, for example, blend(A,a). 

5. The preferred embodiment of the present invention employs the E expansion mapping just 
immediately before the s-boxes. A preferable bit-slice embodiment of the present invention employs 
the E expansion mapping just immediately prior to the multiplication step. This is step 160 in figure 

15 1 . In- the preferred embodiment of the present invention, combine the P permutation with either the E 
expansion or the s-boxes. This is step 170 in figure 1 . 

6. Preferably, the s-boxes are then performed either normally or in bit-slice form using logic gates 

7. Preferably, apply the P-based permutation. This is step 170 in figure 1. 

Although the cipher preserves the Feistel structure, the principles herein apply also to non-Feistel 
20 ciphers. For example, an exemplary embodiment of the method of the present invention in which the 
round function influences and receives influence from at least half of the bits of the block size. These 
ideas are relevant, for example, to TDEA and to JADE. 

Figure 3 is an exemplary illustration of a preferred embodiment which explains how to make and 
use the operation on two inputs yielding a double-sized result portion of the method of the current 
25 invention. Preferably, half of the double-sized result is folded into a companion execution of the 
method. 

Optionally, an operation is employed on n inputs yielding a n sized result folding n*l pieces of the 
result into a companion execution. Optionally, each input in the folding is determined to come from a 
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different relative position with the n-sized result. Optionally, an operation is employed at least once 
on two inputs to yield a double sized result in order to mix two distinct arguments. 
Key Schedule 

Reference is made to figures 4-6. In this section, the two embodiments of the method of the 
5 present invention are detailed as regards the key schedule. The first key schedule embodiment differs 
from the prior art key schedule by constructing the round subkeys with all of the bits of the master 
key. The preferred key schedule embodiment of the present invention uses the block cipher itself to 
generate the subkeys such that each bit of any subkey depends on every bit of the master key. 
SELECTED KEY TABLE 
10 After a careful examination of the currently available implementations of the prior an DES key 
schedule, disturbing properties were noted. Reference is made specifically to figure 6. 

The entire prior art schedule amounts to selection of two groups of 28 bits from the master key of 
56 bits plus 8 parity bits. Two permutations are applied. Each subkey bit is exactly one bit of the 
master key. Each half of every subkey is derived from a distinct half of the master key. Only 56 bits of 
15 the available 64 bits are used. The key size is different than the block size, resulting in cryptographic 
modes which have dangerous short cycle properties. Because the key schedule permutes individual 
bits, it is particularly slow in software. 

As a first approach, the parity bits are eliminated. Thus, all 64 bits are available for selection in the 
48-bit round subkeys. Thus, rotations in the key schedule operate on a full 32 bits each rather than 28 
20 bits a piece in the prior art. 

Next, the two permutations "Permuted Choice 1" (hereinafter PCI ) and "Permuted Choice T 
(hereinafter PC2) may be composed using standard combinatorial methods wherein application of the 
composition is equivalent to the application of PCI followed by PC2. (See figure 10, table T; figure 6, 
box 610) 

25 Then, note that the resultant composition of PC 1 and PC2 selects from only the first 56 bits of the 
master key (discounting rotations in the key schedule). Including rotations, the lower 32 bits have a 
higher probability to be included in the round subkeys. 
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Thus, add four to each entry in the resultant table wherein the entry in prior art would refer to bits 
20-56. This makes the number of bits selected in each half of the subkeys from the master key equal 
in number for the two halves. (See figure 6, box 620.) 

The order of the rows are preferably rearranged in the resultant table. The purpose of the 
5 rearrangement is to cause every second row to refer to bits above the half-way mark while the other 
half of the rows refer to bits below the half way mark. 

Such a tabic can be referred to as the "key selection permutation table (sec figure 10, tabic 1). 
Such a key schedule can be referred to as "improved." (See figure 6.) 

A typical key schedule for DES, MultiDES based systems, according to one embodiment of the 
10 method of the present invention, would use the selected key table to generate subkey bits from the 
master key. The improved key schedule thereby employs a full 64 bits, uses only a single permutation, 
cancels separation wherein upper halves of master key corresponded to upper half of subkey bits. 

Preferably, the method further includes the step of feeding the full 64 key bits per block into a 
rearranged PC2 from prior art DES, whereby all key bits provided by user are employed. Optionally, 
1 5 entries of PC2 with values above 28 have a value tour added to them. These steps ensure that the key 
schedule will be balanced at the left and right halves. Optionally, the key schedule rotation is carried 
out a block at a time rather than in two half block groupings. Optionally, subkey is made dependent 
on the serial number of parallel execution. Thus, even if master key contains exact repeating 
sequences, subkeys will not necessarily repeat. Optionally, subkey employed is derived by finding a 
20 multiplicative inverse over a field. Optionally, zero subkey is replaced by a round dependent mask 
value. 

BOOTSTRAP KEY SCHEDULE 

The entire schedule amounts to selection of two groups of 28 bits from the master key of 56 bits 
plus 8 parity bits. Two permutations are applied. Each subkey bit is exactly one bit of the master key. 
25 Each half of every subkey is derived from a distinct half of the master key. Only 56 bits of the 

available 64 bits are used. Key size is different than the block size, resulting in cryptographic modes 
which have dangerous short cycle properties. Because key schedule permutes individual bits, it is 
particularly slow in software. 
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Reference is made specifically to figure 5. Preferably, a large key size is implemented using a large 
block size. Optionally, a larger key size is accommodated by employing cipher-block-chaining while 
generating the keys. Optionally, a larger key size is accommodated by employing an embodiment of 
the invention of that block size to generate subkeys. Optionally, the delay between generating 
5 subkeys can be made arbitrarily long with the object and advantage to increase necessary time for 
exhaustive key search for a given key size. Optionally, an optimal sorting circuit design is used to 
determine how to perform the pairings for the foldings within the round. Large key size or large 
block size is understood to be at least 128 bits long. 

Reference is made specifically to figure 4. After examination of the improved key schedule, the 
10 first key schedule embodiment of the present invention has the following properties: the rotation 
amount between rounds is unchanged; in this embodiment, the method is restricted to work on units 
of 64 bits at a time; and the schedule yields exactly 48 bits for each subkey and most importantly is 
still a permutation on master key bits. 

A desired property of any key schedule would be to cause a change in a single bit in master key to 
15 cause about half the bits of the result subkeys produced to be flipped. Additionally, each subkey bit 
should be computationally independent from any given bit in master key. 

To accomplish this second approach, assume a strong block cipher with following properties. 
After four rounds of encryption, every bit of the output depends on each bit of input. Preferably, the 
block size is at least desired master key size. Assume that encryption under any given key yields 
20 cipher text which is computationally indistinguishable from a random permutation. 

Thus, recommended key schedule is composed as follows. (Reference is made to figure 4.) 

1 . Set encryption algorithm to use a set of subkeys which arc master key independent. This is step 
410 in figure 4. The preferred embodiment of the key-schedule method of the present invention 
employs, optionally and preferably, the subkeys independent of the master key and the subkeys 

25 derived from values in the s-boxes. Usage of such strings from the s-boxes provides easily available 
set of numbers that are known to be a permutation. Moreover, the explanation of the choice imparts a 
higher level of confidence in the method of the current invention to those of ordinary skill in the an. 

2. Encrypt desired master key at least number of rounds to achieve dependence of every bit of 
cipher text on each bit of master key. Typically, this is four rounds. This is step 420 in figure 4. 
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3. Encrypt further an integral number of rounds, typically 1, 4, 8 or 16. Use output of s-boxes as 
desired subkeys. Repeat previous step until sufficient subkey material is pseudo-randomly generated 
for all the rounds, typically 16 rounds are employed. Although, substantially any number could be 
used. Major benefits of Feistel structure completeness are realized already with these values. This is 
5 step 430-440 in figure 4. Sample and store the key material after each employment of an integral 
number of rounds as step 430 in figure 4. Without executing the cipher again, it would be difficult for 
a key-search attack to determine whether the guessed key was correct. Thus, the method of the 
present invention provides additional security against exhaustive search attacks which the prior art 
DES is- vulnerable. 

10 4. Optionally and preferably, repeat step 2 using subkeys generated in step 3. This is step 450 in 

figure 4. Optionally, at least once set the encryption keys to be the subkeys generated and encrypt 

the cipher lexi generated, to yield a new set of encryption keys. 

An object and advantage of the method of the present invention is use of avalanche effect 

whereby after four rounds, preferably and optionally, any specific input bit will affect any specific 
15 output bit. The bootstrap key schedule provides the feature of the method of the present invention 

that encryption is rapid unlike the prior art DES patent wherein each bit was handled individually. 
An object and advantage of the key schedule is effective operation even using just a single key bit, 

since the output of the subkeys will be changed. Thus, for applications wherein key size variability is 

important, MultiDES, one embodiment of the method of the present invention, has a distinctive 
20 advantage. Moreover, the key schedule is operative with a variable key setup time. 

The advantages of the recommended key schedule include that it generalizes to Feistel block 

ciphers of different internal structures and block sizes, it causes every subkey bit to be a complex 

function of master key bits, it allows for a variable length key because each bit individually has 

significance, and it is more rapid than even the improved key schedule. 
25 Figure 7 is an exemplary illustration of a preferred embodiment which explains how to make and 

use the form of multiplication portion of the method of the present invention. Preferably, a form of 

multiplication features the steps as follows. 

Preferably, multiply a plurality of bits from plain text-derived -input and a plurality of bits from a 

plurality of round-dependent subkeys to form a common multiplication product. 
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Optionally, perform an exclusive-or function on a plurality of bits from plain text derived input and 
a plurality of bits from plurality of round-dependent subkeys to form a balanced product. 

Preferably, perform a combining function on common multiplication product and balanced product 
to for a pseudo random product. A combining function is typically addition, alternatively, subtraction. 
5 Optionally, fold upper half of first pseudo-random product into lower half of second pseudo 
random product to form first result. Fold lower half of first pseudo-random product into upper half 
of second pseudo-random product to form second result. 

Optionally, concatenate first result to second result to form folded product. 

Preferably, concatenate the lower half of the first folded product with the upper half of the second 
10 folded product to form a blended product. 

These steps may be repeated, certain steps omitted, and the folding operation modified. The 
essential constraint is that number ofbits flowing out of a step, must equal number of bits flowing to 
next step. 

The method of the present invention uses a carefully planned and specified folding methodology 
15 whereby each s-box input is influenced by at ieast half of input bits. Another embodiment of the 
method of the present invention is to have each s-box input be influenced, preferably and optionally, 
by all input bits, thus requiring twice as many key bits per round by repeating multiplication step. 

Figure 8 is a self-explanatory exemplary illustration of a preferred embodiment which explains 
how to make and use the permutation to span multiple blocks portion of the method of the present 
20 invention. Preferably, a permutation to span multiple blocks features the characteristic of distributing 
output of a local scrambler to the inputs of other local scramblers as evenly as possible. 
Optionally, the local scrambler is an s-box from the DliS prior art. 

Optionally, the internal permutation within the scrambler is the P permutation of the DES prior 
art. 

25 Significant analysis by the inventor revealed that the ideal permutation is one in which the bits are 
spread out as evenly as possible. To design the scheme, count each bit. Optionally, split the same 
number of public bits and the same number of private bits in each output. Optionally, split the same 
number of total bits in each output. Optionally, count a public bit as twice, then distribute the public 
bits to the neighbors. Optionally, apply the splitting before application of the s-boxes. 
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The orbital property of the P permutation is defined as the observation that for each s-box, there 
exists a corresponding s-box. The outputs of a pair of such s-boxes send exactly one bit to each of 
the s-boxes for the next round, while neither box sends a bit to itself An extended P permutation is 
defined as a permutation on groups of s-boxes wherein the orbital property is preserved between (and 
5 within) the groups of s-boxes. Where the orbital property is not possible, because the number of 
outputs is limited, an extended P permutation will distribute the output bits evenly, balancing value of 
public bits against private bits to break symmetry. Public bits arc those repeated by the E expansion. 
Private bits are those bits used once by the E expansion. A companion execution refers to a wide 
variety of- executions in which a plurality of instances of embodiments of an invention are executed 
10 in parallel. 

An arithmetic operation refers to a wide variety of ways of combining numbers. One example of 
| an arithmetic operation is a form of multiplication as defined herein. Any meLhod for combining 

numbers is suitable. 

Preferably, the operation of blending is designed based on the observation that each bit of round 
15 input in prior-art DES influences four or eight bits in the output of that round (depending on whether 
i the bit is private or public respectively). Due to the property of the prior-art P Permutation, four bits 

L output from an s-box in the round will enter four distinct s-boxes in the next round. The P 

Permutation in the prior art is constructed so that there exists another s-box whose four bits will enter 
; distinct s-boxes in the next round which are also distinct from those ofa specific s-box. Should the 

20 reader beyfamiliar with electron orbital and spin, certain metaphors can assist understanding. These 
properties clearly complement the Feistel structure's property of completeness after exactly four 
rounds. This observation of the construction of the P Permutation was discovered by the inventor of 
the present invention. Should it be extended to 5 or 6 blocks, the approach is preferably employed 
prior to the s-boxes. Tn another embodiment of the method of the present invention, the blending 
25 would take a plurality, such as four, resultant products distributing the bits so that each s-box input of 
6 bits would be influenced by maximum possible number of bits from distinct resultant products. 
Effect of such an operation would be a novel and unobvious extension of the P Permutation to a 
plurality of blocks. 
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Figure 9 is an exemplary illustration of a preferred embodiment which explains how to make and 
use a circuit-based logic-gate implementation of the machine of the present invention. Preferably, 
define variables, combine them % one, two and three at a time. Write logical expressions using 
precomputed combinations. Alternatively, the precomputations are reduced by combining only those 
5 that are eventually employed. Alternatively , many other combinations of the inputs are possible so 
long as the operations performed are simple microprocessor instructions. The choice of the 
combinations to use for each s-box or other type of tabic entry is substantially determined by the 
choice of groupings of the variables, of which figure 9 shows an exemplary demonstration. 
Alternatively, group the variables differently such as one, two, three, four or even all six together,. 
10 HOW TO MAKE BIT-SLTCE IMPLEMENTATION LOGIC GATES 

A preferred embodiment of the machine of the present invention employs a logic gate 
representation. This section describes how the logic gates are generated and used. The machine 
employs submachines to address the appropriate tasks. 

Although the submachines are referred to in this section by name, the actual contents can be 
1 5 readily recreated by a programmer skilled in the art. 

A machine "gates" creates the logic gates. The logic gates mimics the S-boxes. In DES, each 
output bit from an S-box can be viewed as a function of 6 input bits. Tn the output of the "gates" 
machine, each output integer is a function of 6 input integers. A structure of "gates" machine 
including definitions of variables followed by one set per s-box of following: X,Y.A,B,C,D each set 
20 to in_sbox[#] as follows. A notation X0 means a value X receives the s box input integer number 0, 
In a list herein, order is by output integers, each time *X' reappears a different output integer is 
referenced. 

X 0, Y 3, A4, R 2, C 1 , D 5, X 7, Y 8, A 9, Bl 1 , C 6, D10, 
X12, Y16, A17. B14, C13, D15, X20, Y21, A22, B23, C18, D19, 
25 X25, Y27, A28, B26, C24, D29, X30, Y3 1, A34, B33, C32, D35, 
X38, Y40, A41, B37, C36, D39, X42, Y44, A47, B43, C45, D46. 
^include "LOGICDEF C" (see figure 9) 

4 equations, each equation indicates that an output S-box bit is a complicated function of the six 
input bits X,YAB,C t D. 
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The functions work as follows: for each output S-box bit position: (from 32 plain-texts) check all 
4 possible X,Y possibilities. For each X,Y : check all 4 possible A,B possibilities. 

All variable names, appearing in the "gales" machine are determined using Polish notation, in which 
one are two operands are followed by an operation. 

Operators: n = not, o = or, p = and, x = exclusive-or. Operands: XY,A,B, CD 
Examples: ABon - not (A or B) 

. CtiDx = (not C) cxclusivc-or D 
As mentioned above the "gates" machine builds a machine which is able to employ bit-slice 
techniques. As input to the "gates" machine are S-boxes. Each S-box has 4 rows, and each row has 
16 values each value has a range of 0 - 15. (4 bits), 
processing: For each S-box: 

For each XY: (S-box row, each row contains 16 values) 
For each of 4 output sbox bits: 
For each AB 

The object is to determine which of the 16 possible CD values as defined in the CD[16] array 
applies for each XY, AB combinations. 
As an example: S-Box 1 

XY-0, AB-0 Top row, Isl 4 entries which are: 
14, 4, 13,1 which in bits are: 1 1 L0 0100 1 L0 1 000 1 

represents: ~C;~D ~C;D C>D C:D 
:The first output bit of each entry determines out-sbox 0 
'* second ««•■"" n \ 
"third M " " " " " 2 
n fourth " " " " ,! " 3 
Out-Sbox 0: 1 0 1 0 = 10 CD[10] = M Dn M 
1: 1 1 1 0 = 14 CD[14] = fl CDpn" 
2: 1 0 0 0= 8CDr81 « "CDon" 
3: 0011 = 3 CD[3] = l, C n " " 
These are indeed the CD values for XYon & (ABon & .) for the 



.990841 1A2_I_> 



WO 99/0841 1 PCT/IL98/00369 



48 

out sboxes 0, 1,2, and 3 respectively. 
OutSbox[0] - 

XYon & (ABon & Dn | 
Meaning: The output to the 1st S-box bit position depends on: 
5 If neither X nor Y (XYon) and also neither A nor B (ABon) 

then the bit is on if not D Dn 
An operation on 32-bit quantities refers to a wide variety of operations such as arithmetic 
operations. 

Such operations are not intended to include using six bits at a time to perform a table lookup. 

10 A step of calculation of combinations of variables for multiple usage refers to a wide variety of 
forms of calculation and ways of combinations. Any single or partial step in figure 9 would be 
suitable, although nol limiting. 

Figure 10 is an exemplary illustration of an alternative embodiment which explains how to make 
and use masks derived from DES s-box entries method of the present invention. Table I, a Key 

is Selection Permutation Table, designates which master key bits will be selected tor each round 

subkey. In order to use the table, master key must be circularly rotated by designated amount of the 
round -shift as noted in the prior an. 

Preferably and optionally, a mask will comprise a well balanced number which is, optionally and 
preferably, a partial permutation and, optionally and preferably, derived 4om the rows of the s-boxes 

20 in DES. Preferably, the mask can be combined with the plain text-derived-round input. Such a step 
combined with typical row-dependence of the mask to yield a strong mixing function even when 
initial plain text derived input may not be balanced zeros and ones. Typically, a partial permutation 
used will depend on the grouping of 32-bits within the plain text derived input. 

Figure 1 1 is a self-explanatory exemplary illustration of a preferred embodiment which explains 

25 how to make and use the key schedule portion of the method of the present invention. The top of the 
figure illustrates inputs of master-key and predetermined initial keys to yield master key derived 
subkeys. This figure begins to set the stage for subkey-feedback-mode. The middle section of the 
figure illustrates inputs of master-key and predetermined initial keys to yield master key derived 
subkeys. These subkeys are used to encrypt in key-generations mode a plain text, which in turn 
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generates additional subkeys as well as a cipher text. This figure continues to set the stage for 
subkey-feedback-mode. The lower section of the figure illustrates master key derived subkeys. These 
subkeys are used to encrypt in key-generations mode a plain text, which in turn generates additional 
subkeys as well as a cipher text. These additional subkeys are used to encrypt in key-generation mode 
5 another plain text, etc. This figure is subkey- feedback-mode. 

When employed as a hash function, a preferred embodiment of the machine of the present 
invention would employ a machine which includes the length of the input into the original input itself. 
A preferred embodiment of the machine of the present invention for employment as a hash function 
would apply an integral number of rounds, typically four, of the system. Thereafter, it would 
10 generate subkeys from further rounds. These subkeys would be used to influence the next plain text 
to cipher text transition. (Refer to this mode hereinafter as "subkey chaining mode 1 " 1 or "subkey 
I feedback mode") This is operative in place of cipher-block -chaining mode. An advantage and object 

of such a new mode is to avoid known simple relationships between known plain text — cipher text 
pairs. Such a known relationship was employed to cause the CBCM mode proposed by IBM to be 
15 withdrawn from consideration in the United States of America standard on accepted modes, 

A preferred embodiment of the method of the present invention is a stream cipher by employing 
j Output Feedback Mode (using the previous cipher text as the new plain text) using full n-bit 

i feedback. The expected cycle length is 2 WocW . An alternative embodiment of the method of the 

present invention is a stream cipher employing counting mode where the plain text is simply the 
20 output of a non-repeating counting mechanism. The next input block would be the previous input 
block plus one. An object and advantage of employing TMD in counter mode is that it allows for 
accessing the key at an arbitrary distance away t e.g. useful in random access file systems. 

In a preferred embodiment of the method of the present invention, Twin TMD is operative 
employed with two TMD A and B executions provided. Optionally, employ subkey chaining mode 
25 from A to H and cipher block chaining mode from H to a future block in A'% sequence. 

Folding and blending operations described elsewhere herein apply also to Twin TMD. For brevity, 
it is not repeated again. The chaining variables could be combined in a Feistel structure with the F 
function being an entire block encryption optionally using cipher-block -chaining or subkey-chaining. 
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Figure 12 is a self-explanatory exemplary illustration of a preferred embodiment of the method of 
the present invention which explains how to make and use the encryption and decryption portion of 
the method of the present invention. It differs from figure 1 in that it recites fewer optional elements. 

Figure 13 is a self-explanatory exemplary illustration of a preferred embodiment which explains 
5 how to make and use the key schedule portion of the method of the present inventioa Preferably, in 
the illustrated embodiment, the encryption algorithm is set to use a set of subkeys which are 
independent of the master key. Optionally, these subkeys arc derived from adjacent DliS s-box 
entries along the s-box row. 

The figure differs from figure 4 in that it recites fewer elements and generalizes to non-Feistel 
10 methods. 

In the next figures, a plus sign in a circle is exclusive-or, an empty circle is a form of 
multiplication, and a plus sign in a box is classical addition. 

Figure 14 is a self-explanatory exemplary illustration of a preferred embodiment which explains 
how to make and use an internal round function portion of the method of the present invention. An 
15 exemplary method of folding is shown, wherein the upper half of common multiplication is folded 
with the lower half This is simple folding. This is a sample round function for Multi-DES using 64- 
bit block size. The context of Multi-DES based systems relative to elements present in the prior art is 
shown. 

Figure 15 is a self-explanatory exemplary illustration of a preferred embodiment which explains 
20 how to make and use a Feistel structure for Multi-DES portion of the method of the present 

invention. Showing the Feistel structure approach to this embodiment is used to illustrate that the 
method of the current invention generalizes to Feistel systems corresponding to the block size 
chosen. It is illustrated according to a standard representation obvious to one of ordinary skill in the 
art as described for example in [BiSh93j. The figure shows an example Feistel structure for 
25 MultiDES. 

As mentioned, the form of multiplication can be applied in non-Feistel structures such as JADE, a 
system by ihe inventor of the present invention described at Eurocrypl '97. The folding methodology 
is applicable to non-Fcistcl structures with a non-csscntial example being JADE. The key schedule 
suggested would apply to any system using subkeys, the number of rounds designated prior to key 
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extraction will be the first round to reach completeness, that each output bit is influenced by each 
input bit. The examples herein which show generalization beyond the Feistel structure should not be 
construed lo limiL The figure shows an example Multi-DES round function. 

See the section above on prior art DES for a detailed explanation of the Feistel structure. 
5 Figure 16 is a self-explanatory exemplary illustration of a preferred embodiment which explains 
how to make and use a particular form of multiplication portion of the method of the present 
invention. The form of multiplication illustrated herein includes the steps of multiplying two inputs to 
yield a product, performing the function of exclusive-or on those two inputs to yield a sum, followed 
by adding vtogether the product and sum. Another preferred embodiment of the method of the present 

10 invention uses common multiplication, folding an upper and lower halves together. Another preferred 
embodiment of the method of the present invention uses common multiplication folding an upper half 
of a current execution with a lower half of a companion execution. Additional forms of multiplication 
apply to the key insertion operation. The figure shows an example multiplication operation in detail, 
which can be common to many variants of Multi-DES. Reference is made to the section on a form of 

1 5 multiplication above for additional variants. 

Figure 17 is a self-explanatory exemplary illustration of a preferred embodiment which explains 
how to make and use an internal round function portion of the method of the present invention. An 
exemplary method of folding is shown, wherein a folds with A, b folds with a. This is pair wise 
folding. The figure shows an example round function for TTVTD using two MuUiDES encryptions in 

20 tandem 

Figure 1 8 is a self-explanatory exemplary illustration of a preferred embodiment which explains how 
to make and use an internal round function portion of the method of the present invention. An 
example folding is shown, wherein a folds with each h and c, b folds with each a and c, c folds with 
each b and a. This is round-robin folding. The figure shows an example Round Function TMJD using 
25 three MultiDES encryptions in tandem 

Figure 1 9 is a self-explanatory exemplary illustration of a preferred embodiment which explains how 
to make and use an internal round function portion of the method of the present invention. An 
example folding is shown. The method is a folds to 6, b folds to cr, c folds to d y and d folds to a. 
Refer to the result of d folding with a as da. and the result of A folding with c as be. Then, preferably 
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blend da with be. An underlying principle is to avoid reusing influence from a given section of plain 
text derived input wherever there is available other distinct sections. This method is permutation 
folding. The figure shows an example round function TMD using four MultiDES encryptions in 
tandem. 

5 The preferred embodiment of the method of the present invention, TMD, can have two, three, 
four, or more MultiDES rounds run in tandem. A methodology for folding companion round 
multiplication together to achieve the TMD cipher is shown in figures 14-16. A MultiDES round has 
a block size of 64 bits and a key size of 64 bits. (Figures 14-15) TMD, using two MultiDES rounds in 
tandem has a block size of 128 bits and a key size of 128 bits (figures 16-17). TMD, using three 

10 MultiDES encryptions in tandem has a block size of 192 bits and a key size of 192 bits (figures 16 
and 1 8). TMD using four tandem rounds has a block size of 256 bits and a key size of 256 bits 
(figures 1 6 and 1 9). 

Reference is made to figures 20-26. Step numbers within the set of figures 20-26 arc understood 
to be local to that set of figures unless specifically specified otherwise. Figure 20 is a simplified 

15 flowchart illustration of a preferred method for protecting data on a persistent storage medium, such 
as a hard disk, of a computer, such as a notebook computer. Preferably and optionally, a casual 
browser does not know that the file system is encrypted. Preferably and optionally, only the user files 
of the hard disk or other storage device are encrypted. Preferably, the computer continues to decrypt 
and encrypt files automatically without user involvement whenever a disk read or write occurs. 

20 Briefly, in step 10, the intention to write to a cluster "c" of a hard disk is detected. Typically, 
encryption is determined on a file-by-fiie basis, but performed on a cluster-by-cluster basis. 
Preferably, encryption happens at the time of disk read and writes on the cluster level. Typically, 
legitimate backup causes work to be perfectly restored whereas illegal backup files remain encrypted. 
In step 20, information is trapped which is intended to be written to this cluster, for example as 

25 entered by a user of the computer. A symmetric cryptosystem is then used to encrypt the 
information. In step 30, the information is stored in cluster "c" on the persistent medium. 

According to another symmetric key ciphering method provided in accordance with a preferred 
embodiment of the present invention, the following steps are preformed: generation of a key, 
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encryption of a file using the key, encryption of the key, storage of the encrypted key on a persistant 
media, typically a hard disk, decryption of the key, and use of the key to decrypt the file. 

Typically, the FAT is used to determine the last cluster of a file given a sector within the file. 

According to a preferred method for encryption of a storage device, typically a hard disk, the 
5 master key for decryption is never present in any form on the hard disk. 

Preferably, user-selectable time-out causes requiring reentring password to continue decoding 
files. Typically, the time out is different for regular use and for idle time. 

Figure 21 is a simplified self-explanatory flowchart illustration of a preferred method for 
protecting confidentiality of information written on notebook computer, the method being 
10 constructed and operative in accordance with a preferred embodiment of the present invention. 

Briefly, in step 100, a pass phrase is provided. The pass phrase typically includes at least 80 to 90 bits 
of entropy. In step 1 10, an MD5-MAC key is provided. The MD5-MAC key is typically generated 
unique to every installation of the method. For example, if software for performing the above MD5- 
MAC authentication method is installed on a population of hard disks, each hard disk is preferably 
15 provided with its own unique key. Typically, this uniqueness of the key is accomplished by 

cryptpgraphically hashing (e.g. using an MD5 hash or MultiDES-based encryption method operative 
as a hash) information available on the user's hard disk at time of installation. Optionally, the pass 
phrase is probabilistically checked for correctness. 

Typically, the information which is hashed includes the directory tree. In step 120, the pass phrase 
20 is processed using the MD5-MAC key. In step 130, the ciphered pass phrase is partitioned into at 
least two portions, one of which is the key generation key. In step 140, a file key is generated using 
the key generation key, as shown in more detail in Figure 22. Preferably, a MD5-MAC authentication 
method is provided, as shown in figure 21, which can include performing MD5-MAC (described in 
the above-referenced Menezes document) on a pass phrase and partitioning the result into two 64-bit 
25 quantities. Examples of uses for the two 64-bit quantities are described below. Alternatively, use 
Multi-DES based systems employed as a hash function with 256-bit block size. 

Figure 22 is a simplified flowchart illustration of a use of a slightly modified MD5-MAC message 
authentication code method constructed and operative in accordance with a preferred embodiment of 
the present invention. Also provided, according to a preferred embodiment of the present invention is 
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an archetecture for key generation given a sector with 16 DOS directory entries and the number of a 
specific entry therein. The information is cryptographically mixed to provide a file key. Tn other 
words, according to a preferred embodiment of the present invention, a key can be generated by 
cryptographically mixing a sector having 16 DOS directory entries with the entry from among the 16 
5 entries for which the key is being generated. The cryptographic mixing is typically performed using a 
symmetric cipher with 64-bit plain text block size and 56 or 64 bit key size. Although, other key- 
block sizes are possible particularly as provided by MultiDES based systems. Preferably, bytes which 
participate in the cryptographic mixing are 8 bytes per directory entry starting at 16 Hex, 36 Hex, 56 
Hex, elc. 

10 Preferably, the first input to the cryptographic mixing is the specific directory entry and the first 
directory entry with one playing the role of the key and the other plain-text. Typically, the 
subsequent input to the cryptographic mixing is the output of the i- 1 'th mixing ( 1<I<17) and the i'th 
directory entry with one playing the role of the key and the other of the plaintext. Preferably, the 
resulting output of the 16th cryptographic mixing is used as a key to encrypt a file. The file key may 

15 be encrypted using one of the 64-bit quantities from MD5-MAC or Muiti : DES based hash. 

Preferably and optionally, the first input to the cryptographic mixing is the specific directory entry 
and all of the directory sector (512 bytes is 4096 bits per block) with one playing the role of the key 
and the other plaintext. Optionally, location on disk as calculated in heads, tracks, cylinders, sectors, 
and offset may be added to the key and/or plaintext before applying Multi-DES based methods to 

20 accomplish the cryptographic mixing. Alternatively, the cryptographic mixing is done using a fast 
parallel bit-wise vector implementation of Multi-DES based systems or DES based systems with a 
form of multiplication used in place of exclusive or for key insertion within the round function. 

In step 200, a sector of a DOS directory and the offset l<j<l 7 of a particular file entry within the 
sector are provided. Preferably, also the location of the file within the hard disk is also provided (see 

25 step 520 of Figure 25 below). A cryptographic key is generated according to the following steps. In 
step 210, 8 bytes per directory entry are provided, starting at 16 Hex, 36 Hex, 56 Hex, etc to obtain 
1 6 64-bit intermediate keys numbered 0<i<l 7. In step 220, these 8 bytes per directory are encrypted 
with intermediate key ; as plaintext and intermediate key ; as the key to obtain an intermediate value 
as ciphertext. Preferably, the location is added to the key j substantially before keyj is employed as a 
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key. in step 230, step 220 is repeated except that the result of step 220 is the key for the encryption 
to obtain a new intermediate value as ciphertext. Tn step 240, step 230 is repeated 16 times. Tn step 
260, the resulting intermediate value for /=16 is the plaintext and the key generation key from the 
MD5-MAC or MultiDES-based encryption method operative as a hash as the key for encryption to 
5 obtain a file key as ciphertext- Optionally, differential time between keypresses or disk latency time or 
the contents of keystrokes or contents of disk reads are used to seed a random number generator. 

Figure 23 is a simplified self-explanatory flowchart illustration of a preferred method for 
generation of file keys forming a part of the method of figure 22, using contents of DOS directory 
entries as plain texts and keys to generate a file key. In step 300, a symmetric cipher key is generated, 

10 for example according to Figure 22. In step 3 10, a file or directory is encrypted with a symmetric 
cipher, for example with MultiDES-based encryption methods, such as that shown in Figure 26. In 
step 320, the file key is encrypted as plaintext using a key protection key, typically generated 
according to Figure 21, as key with a symmetric cipher to obtain a protected file key. Alternatively, 
the file key is generated by employing information available in the sector of the directory of the file, 

1 5 using MultiDES-based encryption methods, employing the specific file entry as the key and the 
remaining pan of the sector as the plaintext. In step 330, the protected file key is stored in a 
conveniently located portion of the disk^ for example in the last bytes of the last cluster allocated to 
the file. 

Figure 24 is a simplified self-explanatory flowchart illustration of preferred method for performing 
20 an encryption of a file using the method of figure 22 to generate file keys and the output of the 
method of figure 21 to protect the file key. In step 400, a symmetric cipher key is generated, 
typically using Figure 22 ? or using MultiDES-based encryption methods as mentioned above, in step 
410, a file or directory is encrypted with a symmetric cipher and the key is stored, for example 
according to Figure 23. In step 420, a key protection key is provided, typically generated according 
25 to Figure 21 or using MultiDES-based encryption methods effective as a hash function. In step 430. 
the protected file key is retrieved from a conveniently located portion of the disk, substantially as 
previously described. Tn siep 440, the protected file key is decrypted as ciphertext using a key 
protection key, for example generated according to Figure 21 or using MultiDES-based encryption 
methods effective as a hash function, as key with a symmetric cipher to obtain a file key. In step 450, 
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the file is decrypted by using the file key as the key by using conventional methods., or alternatively 
according to Figure 26. 

Figure 25 is a simplified self-explanatory flowchart illustration of preferred method for performing 
an encryption of a file on a sector by sector basis using unique information based on the location on 

5 the particular hard disk and cipher-block-chaining within the sector. According to a preferred 
symmetric key ciphering method provided in accordance with the present invention, ciphering 
proceeds as follows: given a key, and a sector number of data to be encrypted, encryption is carried 
out typically using the location serial number as an initial vector. Thus, preferably employ subkey- 
chaining-mode together with bit-slice vector implementation to maximize block size for Multi-DES 

10 based method. According to another file encryption method provided in accordance with a prefen-ed 
embodiment of the present invention, a symmetric cipher key is generated, a file is encrypted and a 
protected file key is stored. The protected file key is typically stored in a conveniently locatable place 
on the disk, typically in the last bytes of the last cluster allocated to the file. 

A preferred method for protecting hard disks uses an available attribute bit from the attribute byte, 

15 typically bit 6, to indicate whether or not to encrypt. Preferably, there is a default as whether or not 
to encrypt, the default being, for example, to encrypt. Preferably, each file handle, upon opening the 
file, is associated with a bit which indicates whether or not to encrypt the contents of the file. 
Typically, the association is a simple index into a 256-byte table. 

In step 500, a key is provided, for example according to Figure 22 or using MultiDES-based 
20 encryption methods effective as a hash function, as key with a symmetric cipher to obtain a file key. 
Tn step 5 1 0, a sector number of the data to be encrypted is provided, Tn step 520, a location serial 
number is obtained by deriving sector number information which is unique to the presently installed 
hard disk and current location, such as hard drive number, cylinder number, sector number, and 
number of the read/write heads. Tn step 530, a sector is partioned according to the symmetric cipher 
25 block size into plaintext blocks, for example according to MultiDES-based methods. In step 540, the 
sector is encrypted with cipher-block-chaining or sub-key-block-chaining mode of the methods of the 
present invention (for example as shown in figure 1 l) t by using conventional methods according to 
the location serial number as the initial vector. 
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Figure 26 is a simplified self-explanatory flowchart illustration of preferred method for performing 
the method of figure 25 wherein the encryption is fast parallel bit-wise vector implementation of DES 
with a form of multiplication substituted for exclusive or when combining the subkey with the 
plaintext derived input, such as MultiDES. The symmetric cipher is typically a fast parallel bit-wise 
5 vector implementation of DES using a form of multiplication for key insertion. The size of the bit- 
wise vector is preferably a multiple of 8 such as 16, 32, or 64. MultiDES is operative a sector at a 
time as well as a cluster at a time. 

The above methods and systems are useful for many storage devices such as hard disks and such 
as the hard disk of a portable typically notebook computers in particular, 
10 It is understood that in figures 27-36, wherever addition or multiplication is used, a form of 

multiplication may be substituted. Likewise, parallel execution(s) may be combined using techniques 
of folding and/or blending. In the figures 27-36, the symbol +, not encircled, indicates standard 
addition. Step numbers within the set of figures 27-36 arc understood to be local to that set of figures 
unless specifically specified otherwise. The symbol +, encircled, indicates an exclusive-or operation. 
15 The symbol I + in square indicates standard addition. 

Reference is now made to figure 27 which is a simplified flowchart illustration of a DES 
encryption method constructed and operative in accordance with a preferred embodiment of the 
present invention. A suitable initial permutation (e,g. for step 10) and a suitable final permutation 
(e.g. for step 30 as well as for step 320) and a suitable DES key schedule (e.g. for step 50) are all 
20 described in Biham and Shamir's Appendix A, "Description of DES" and/or in the Glossary of the 
above-referenced Biham and Shamir publication. 

To obtain an inverse of the P permutation, conventional methods may be used to compute an 
inverse of the P permutation described in Biham and Shamir's Appendix A and/or glossary of the 
Biham and Shamir publication. 
25 The subkey table generated in step 50 may, for example, be stored on a hard disk. It is stressed 

again that a form of multiplication specifically includes common addition as a possible form. 

Figure 28 is a simplified flowchart illustration of a first preferred method for performing an n'lh 
DES round forming part of the method of previous figure, using addition to combine subkey with 
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plain text derived input of the method of the previous figure (step 80). The method of the current 
figure uses a form of multiplication to combine subkey with plain text derived input. 

Figure 29 is a simplified flowchart illustration of a second preferred method for performing an n'th 
DES round (step 80) employing a form of multiplication part of the method of figure 27. The 

5 method of the current figure, like the previous figure, uses a form of multiplication to combine a 
subkey with plain text derived input. However, in the previous figure, only a single plain text is 
typically encrypted at a time whereas in the current figure, a plurality T of plain texts, such as T = 32 
plain texts, each including I bits (typically 1=64) are encrypted simultaneously. Typically, the DES 
encryption method of figure 27 is repeated T times and the i'th performance (T^l , T) of the DES 

10 encryption method of figure 27 encrypts an i'th bit of each of the plain texts. Optionally, third and 
fourth permutations may be used which respectively replace the first and second permutations of 
steps 40 and 120 respectively. The third permutation is defined by associating the i'th bit of Lhe I'th 
plain text derived input. The fourth permutation is defined by associating the i'th bit of the f th 
ciphered text (t=l, T) with the t'th bit of the i'th final round output. If a plurality of plain texts 

15 are encrypted simultaneously using exelusive-or to combine subkey with plain text derived input, then 
the encryption output is no different than it would be if the plurality of plain texts were to be 
encrypted one by one, the only advantage of simultaneous encryptions being speed. However, if as is 
shown in the previous figure, the plurality of plain texts are encrypted simultaneously using a form of 
multiplication (not exclusive-or or another bit-wise operation) to combine subkey with plain text 

20 derived input, then the encryption output is different than it would be if the plurality of plain texts 
were to be encrypted one by one. It is appreciated that because the results of the encryption method 
of the current figure arc different than the results of conventional DliS, the initial and final 
permutations of DF.S may be skipped, to increase speed. When step 310 is performed for a first 
round of DES encryption (n~l in figure 27) the plain text derived input typically comprises the plain 

25 text itself When step 3 10 is performed for a subsequent round of DES encryption (n>l in figure 27) 
the plain text derived input typically comprises the output sequence of 64 integers generated in step 
370 of the previous round n- 1 . The expansion table used in the current figure, step 310 is typically 
the same expansion tabic used in figure 28, step 140. Step 350 may be performed using any of 
possible logic gate configurations described herein and others. In the current figure, the length of 
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each subkey-derived integer and each plain text derived integer may be any suitable length such as 8 
bits, 16 bits, 32 bits or 64 bits. 

Figure 30 is a simplified flowchart illustration of a modification of figure 28 in which first and 
second permutations and mapping are employed to perform the DES round; useful when steps 10 - 
5 30 are employed. In the method of the current figure, the mapping generated in step 30 is employed 
to perform a DES round. 

i ; igurc 3 1 is a simplified flowchart illustration of a third preferred method for performing an n'th 
DES round forming part of the method of figure 27, wherein subkeys are combined with plain text 
derived input using a form of multiplication as shown. A preferred method of the current figure is 
10 combination of s-boxes, permutation and expansion into a single table look-up. 

Figure 32 is a simplified flowchart illustration of a DES encryption method constructed and 
operative in accordance with another preferred embodiment of the present invention. 

Figure 33 is a simplified flowchart illustration of a fourth preferred method for performing an n'th 
DES round forming part of the method of figure 32, using multiplication to combine subkey with 
15 plain text . derived input. 

Figure 34 a simplified flowchart illustration of a fifth preferred method for performing an n'th DES 
round forming part of the method of figure 32, 

Figure 35 a simplified flowchart illustration of a modification of figure 33 in which first and 
second permutations and mapping are employed to perform the DES round. 
20 Figure 36 is a simplified flowchart illustration of a sixth preferred method for performing an n'th 
DES round forming part of the method of figure 32. 

Appendices include a description of research based on findings which indicate that replacing the 
exclusive-or operation with an addition operation, with the F function described by Biham and 
Shamir, does not always yield a weaker cryptosystem, contrary to the teachings of Biham and Shamir 
25 in section 4.5.3. 1 of Chapter 4 of the above-referenced Biham-Shamir publication. The research 
findings described in appendices also indicate that replacement of exclusive or within the F function 
by common multiplication with final carry discarded is, in certain situations, stronger than 
conventional DES methods. The research findings also suggest that replacement of exclusive-or 
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within the F function by multiplication over a ring is preferable to replacement of the same by 
common multiplication with final carry discarded. 

The method of the present, invention provides a rapid, simple, and secure means for controlling a 
microprocessor to effect symmetric message authentication, one-way hashing with or without a key. 
5 and a symmetric block cipher. 

Many other variations are possible, for example, the expansion mapping is unnecessary when a 
form of multiplication is used for key insertion. Other variations are possible, for example, the key 
insertion and folding operations can be applied to a variety of ciphers to yield improved block size 
regardless of whether the Feistel structure or a totally different construction is used, 

10 Other variations are possible, for example, the key insertion and folding operations can be applied 
to a cipher whose block length is any arbitrary amount shorter than the designated block length by 
replacing the influence of plain text derived input by additional subkeys in each round. For example, 
to shorten a 64-bil block cipher to 48-bits only simply encrypt normally, but at the start of each round 
where plain text derived input is required use 48-bits only and use additional 16-bits of subkey that 

15 rouHu. xnw Key sciiCuuiC woUiu recjuire more rounds at rcey set-up time to effectively generate the 
additional subkey bits for each round. 

Other variations are possible, for example, the key insertion and folding operations can be applied 
to a cipher for whom every s-box is influenced by eveTy plain text derived input bit in a round. Tn 
place of the blending operation described, use form of multiplication for key insertion again on a 

20 distinct set of subkeys. These results can be blended between the first and third s-box inputs as well 
as the second and fourth s-box inputs. Blending takes half of the output from one of the arguments 
and the other half from the other. 

Other variations are possible, for example, the key insertion and folding operations can be 
modified so as to use any group operation or operation which combines a few group operations, For 

25 example, the folding can be done using addition, subtraction, or even modular multiplication or 
division. 

Other variations are possible, for example, the key insertion and folding operations can be 
combined with a bit slice implementation where Lhe size may be chosen based on considerations of 
existence of Fermat primes. 
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Likewise, common multiplication can be used as an expansion operation instead of the standard E 
mapping. Multiplication of a 32 bit subkey by a 32 bit plain text derived input, yields a 64 bit 
quantity. AVe may discard the upper and lower 8 bits of the result,, leaving us with 48 bits which can 
be fed into the S-boxes. Likewise, the expansion mapping could be accomplished after the key 
5 insertion operation. This has the advantage and object of simplifying the round function and causing 
the bits entering the s-box to depend on a plurality of plain text derived input bits as distinct from the 
prior art wherein the dependence is on a single plain text derived input bit. 

Execution of two operations of block or stream encryption in parallel can employ common 
multiplication with exclusive-or to fold the upper half of the result of the multiplication into the lower 

10 half of the companion execution. This is referred to as MultiDES based systems, one embodiment of 
the method of the present invention. An object and advantage is to extend the key-block length by 
causing mulual influence of plain text derived input bits on the other respective round oulpuL 

If the two operations are MultiDES based systems with bit-slice implementation, one embodiment 
of the method of the present invention, encryptions running in parallel, similar folding techniques can 

15 be applied in parallel yielding a 1024-2048-4096 bit block cipher called MultiDES based systems with 
bit-slice implementation, one embodiment of the method of the present invention. An object and 
advantage is to extend the key-block length by causing mutual interference of plain text derived input 
hits on the other respective round output. Moreover, a live-fold speed increase is achieved relative to 
the embodiment with non-bit-slice s-boxes. 

20 The bit-slice implementation does not need to encrypt exactly 64 plain texts at once. Rather, 
preferably and optionally, encrypt 4, 8, 16, or 32 at a time. This enables the group operation of 
multiplication using a Format prime to combine 16-bit subkey with 16-bit plain text derived input. 
Naturally, simultaneous encryption of 2, 4, and 8 plain texts typically use multiplication over a field 
modulo aFermat prime. Multiplication over a field modulo a Fermat prime can be improved relative 

25 to the all-zero key by treating zero as M -1 M over the field. An object and advantage of modular 

multiplication is due to being a permutation, it is known that all bits in the domain and range are used. 

In fact, use of common multiplication using some method such as exclusive-or to fold the upper 
and lower halves together, or multiplication over a ring (or a field) should yield similar results. 
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Unlike Biham's solution, this is not plug-compatible with prior art DES. Rather, it causes each of 
the 16-bit plain text derived inputs in a given round to influence at least one bit in every other 
simultaneous encryption. Because there exists a given 16-bil input, for a fixed key,, yielding any 
particular desired output bit combination. Thus, Shannon's criteria of diffusion and confusion are 
5 better satisfied. Multiplication over a field defined by a Fermat prime is no longer computationally 
expensive in the Tntel microprocessor architectures. Our method would extend to any method of 
multiplication which could be simply expressed as a combination of the resulting two input-sized 
results from common multiplication. The group operation chosen within a round to combine the 
subkey with plain text-derived-input need not be constant from round to round. The method of the 
10 present invention may be cascaded, used before or after known or to be invented methods. 

Advantages and objects of the bit-slice ramification of method of the current embodiment of the 
present invention include additional speed, additional block size, effective hardware implementations, 
encryption block size matching that of public-key algorithms such as RSA, convenient stream cipher, 
and powerful hash function. 
15 One advantage and object of the method of the present invention is increased speed. MultiDES 

based systems with bit-slice implementation, one embodiment of the method of the present invention, 
achieve block throughput rates averaging about five times as fast as prior art DES. This improvement 
is achieved without reducing the number of rounds. 

Another advantage and object of the method of the present invention is increased block size. 
20 The huge block size ranging from 5 12 bits to 4096 bits breaks up local patterns effectively and 

depends on every single bit of key and/or plain text input. 

Another advantage and object of the method of the present invention is effective hardware 
implementations. 

The approach is suitable for use on many computers not limited to 64-bit microprocessors 
25 such as the DEC Alpha, or on 32-bit microprocessors as the Intel Pentium. Likewise, an efficient 
example implementation using logic gates has been accomplished. 

Another advantage and object of the method of the present invention is encryption block size 
matching that of public key systems. For the first time, a secure symmetric system achieves the same 
block size as RSA. 
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Thus,, it would be a natural partner to RSA in new protocols. For example: 

1. signatures based on a partial or folded output of MultiDES based systems with bit-slice 
implementation, one embodiment of the meLhod of the present invention. 

2. zero-knowledge identification in which partial outputs of MultiDES based systems with bit- 
5 slice implementation, one embodiment of the method of the present invention are shown. 

3. digital cash in which spending a coin reveals a key and partial output 
double spending would be caught when more output is revealed. 

Another advantage and object of the method of the present invention is an effective stream 
cipher and hash function. The ability to effectively mix significant chunks of data allows for a natural 
10 application as a pseudo-random number generator to be used as part of a stream cipher. Likewise, 
huge inputs are rapidly hashed to the desired size. 

An advantage and object of the archetecture of the present invention is that sleep to disk causes 
encryption of memory being written to disk and/or erasure of the master key in memory prior to 
writing to disk. 

15 Another advantage and object of the archetecture of the present invention is that an enemy who 
captures of a computer which is powered off (or in smart-sleep state where memory is written to 
disk) gains nothing except the encrypted data. 

Another advantage and object of the archetecture is that recovering the data requires either 
knowledge of the pass phrase or equivalent of breaking an accepted or patented encryption method- 
ic* Another advantage and object of the archetecture is that typically, identical files encrypted under 
the same key do not yield even the same initial encrypted block. 

Another advantage and object of the archetecture is that typically, files which are not 
cryptographically sensative are not automatically encrypted. 

Another advantage and object of the archetecture is that typically, user files and newly created 
25 files arc automatically encrypted. 

Another advantage and object of the architecture is that typically, encrypted and plaintext files co- 
exist on all but the most security intensive systems. 

Another optional advantage of the architecture is that it is not obvious that encryption has been 
used, except for used hard disk space for which no files lay claim. 



BNSOOCIO: <WO 990841 1A2_I_> 



WO 99/08411 



PCT7IL98/00369 



64 

Another application and object of the method of the present invention being in a wide variety of 
applications including fast communication links and local applications e.g. for confidentiality and 
authentication purposes, particularly including automatic, background encryption of hard disks of 
notebook computers, preferably on a file-by-file basis; encryption of file names on a storage medium; 
5 encryption of file contents, encryption of file names of those files and omission of information 

regarding those files from file directory listings; trapping all READs and WRTTEs to the disk either 
on the DOS level or on the BIOS level; trapping any "sleep" mode writing to a disk of a notebook or 
desktop computer; cluster-by-cluster encryption; sector by sector encryption; use of bits in an 
attribute byte for deciding where or not to encrypt a file; use of cipher block or subkey generation 

10 chaining mode over the largest block read or written by the chosen operating system as a single unit 
(typically a sector, cluster or track), employing sector number, track number, head number, cylinder 
number, cluster number, disk drive serial number, and any other available information to characterise 
a present location within a specific hard disk; and encryption of a cipher key and placing it in a 
location within a hard disk which is easily addressable given the cluster number of a cluster within a 

1 5 file. For example, the easily addressable location may be the last bytes of a last cluster $n file which 
contains a cluster whose number is given or in the directory or cluster allocation information related 
to tile. 

Another suitable method for implementing the method of the present invention involves 
optimisation of 32-bit parallelism and 32-bit registers running in protected mode or optimisation of 
20 16-bit parallelism and 16-bit registers running in real mode or optimisation of 32-bit parallelism and 
32-bit registers running in real mode with 32-bit op-codes or optimisation of 64-bit parallelism and 
64-bit registers running in real mode using a floating point unit to perform 64-bit arithmetic 
operations. Preferably, each input register to any of arithmetic operations shown and described in 
figures 27-36 is fully utilised but carries are preferably ignored as necessary depending on size of 
25 available registers. 

WORK ON PRESENT INVENTION: IMPLEMENTATION DETAILS 
Various previously described features of the present invention were tested in actual 
implementations of cryptographic software for performing the methods of the present invention. The 
described techniques were applied to improve the preferred method of the present invention, yielding 
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speed of implementation of 16,000 bytes per second on a Pentium 120 Mhz machine. Some 
approaches to enhance speed included the following; calculating the 16 sub-keys in advance, instead 
of for each plain text. In calculating the sub-keys, the method combined the: initial key permutation, 
key shift per round, compression permutation and output a 48 by 16 table, relating position of 
5 compression bit with bit position of original key. Further, the method combined the P-box 
permutation, the initial and final permutations, and the Expansion Permutation, into the H and F 
tables, can sing, the P-box permutation to 'disappear* . Thus., a preferred method of the present 
invention was implemented as follows: The subkey bit positions (by round) were calculated in 
advance. The plain text was permuted by an F[J table, and then split into fl LJ and f2[J with f2[J being 

10 used in a round. In each round, the H[] table re-ordered f2[] Reordered bits were then applied the 
function exclusive- or with the subkey. The S-boxes were viewed as an array of 64 values. Then the 
function exclusive-or value was applied lo the element number value in that position in ihe array of 
the S-box output. D[] was then applied to the function cxclusivc-or result of fl[] and the S-box 
output. At the end of each round (including the last), £2[] was copied into fl[] and f3[] was copied 

15 into f2\]. After the 1 6 rounds, a T[] tables determined the cipher text bit positions from fl [] and 
A preferred embodiment of the machine of the present invention was enhanced with programming 
techniques to speed up the program. New speed recorded was 34,000 bytes per second on a Pentium 
120 Mhz machine. Techniques employed included using integer registers, and using an 'nbit* 2 
dimensional table, where the row number was the numerical value, and-the row itself was the bit 

20 representation of that value. In going from nibbles to bits, the method copied the nbit[row] where 
row was the value of the nibble. (16 rows in all). Additional steps included changing fl f], f2fl and 
f3[] to a 2-dimensional table, f[][] where the row value was represented by variables fl), fl, f2. 
initialized as 0J t 2 respectively. From round to round 1 modulo 3 was added to these values. The 
steps in each round were now as follows: the nbit's at row fl [J were copied to an array called 'fbit' 

25 For each S-box input: used H[] value to choose a bit from fbit; used Left Shift and exclusive-or to 
accumulate k Exclusive-or k with the sub-key [round, S-box]. f[f2] = S-box[k] A f[f0]. Rotated: 
ni-10, ID-fK fl-f2, fZ-m even at the end of the last round. 

The method used also applied bit-slice methodology enabled encrypting 32 plain texts at a time. 
The speed was 506,000 bytes per second on a Pentium 120 Mhz machine. 257,000 bytes per second 
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included the bit-splitting that proved that this was in fact an implementation of DES. An 
implementation included: the 64-bit key was converted to the 16 round sub-keys, except that each bit 
was expanded to an integer of 32 bits. Therefore, each subkey contained 48 integers, each integer 
was either all zeros or all ones. 

5 A machine started operation by reading 32 blocks of 64-bit plain texts for a total of 64 integers 
were at a time. Every 2 integers represented one plain text. The data was optionally re-arranged as 
follows. Every plain text has 64 bit position. Each bit went into a separate integer. The bits of the first 
plain text went into the high order position of each integer. The bits of the second plain text went into 
the next highest order and so on. As a result each output integer represents one bit position of every 

10 plain text. The implementation follows the ideas of combining permutations. The plain text was 
permuted by an F[] table, and then split into f[f0] and flfl] with f[fl] to be applied the function 
exclusive-or wilh the sub-key. In each round, Lhe H[J Lable re-orders t[C\ J. The reordered bits were 
then applied the function exclusive-or with the subkey, with the result going into an array of 48 
integers. 

15 The data went into the logic_gates() routine, which was described in detail in a description of 
figure 9. The logic-gates mimicked the S-boxes by viewing each output integer as a function of 6 
input integers. f[f2] - f[fO] applied function exclusive-or with the logic gate output. fO, fl, and f2 
values rotate (m=fD; fCNfl ; fl =42; Q«m) even at the end of the last round. After the 1 6 rounds, a T[] 
tables determines the cipher text bit positions from f[£0] and f[fl]. Finally, the bits were re-arranged, 

20 in a procedure reverse of the original: Each cipher text contains one bit position of each of 64 
integers, 

The Bit Split and the Undo Split were essentially an input and final permutation, and can be 
omitted without compromising security. They were retained to prove that this program was in fact an 
implementation of DES. The speed of a preferred embodiment of the present invention for executing 
25 triple-DES was 171,000 bytes per second on a Pentium 120 Mhz machine. 127,000 bytes per second 
included the bit-splitting. Triple-DES was 1/3 as fast as DES without bit splitting and V% as fast as 
DES with bil splitting. A preferred embodiment of the machine of the present invention for triple- 
DES used 3 keys. It encrypted with the first, decrypts with the second and encrypts again with the 
third. This embodiment was tested by setting the second and third keys to be identical. The program 
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was almost identical to that of a previous implementation described above except that it used 48 rounds. 
Subkey generation pre-calculation stored the sub-keys in decryption phase in reverse order. Created 
5 160,000 encryption in 44 seconds. Plain texts were generated by a random generator, employed DES on 
plain texts to yield cipher tests. Timed random generator as generating 7 million bytes if data in 32 
seconds, which came out to 6 seconds for amount of data uses. Therefore, the DES operations took 38 
seconds. Results were compared to a test bed of data. Called the random generator only one for the initial 
plain text. Called DES using the output of the previous call as input to the current call. The mechanisms 
10 for timing was constructed as follows. For this particular test the software did not write out to disk, and 
the clock was started right before the first call to DES. At end of the program, calculated speed by time 
elapsed to encrypt 10,000 * 32 blocks of data. 

A reduced P permutation is a permutation substantially similar to those shown in figure 8. 
The method of the present invention relates to using a form of multiplication as the key insertion 
15 operation and related folding methodologies useful to form a shorter input length keyed hash function. 
Another method of the present invention employs bit-slice methods. The preferred embodiment of the 
method of the present invention is rapid, simple and can be shown superior to prior art DES which has 
faced the tests of time. The method of the present invention achieves a 256-bit input size, yielding a 128- 
bit output in the preferred embodiment. 
20 It is appreciated that various features of the invention which are, for clarity, described in the 

contexts of separate embodiments may also be provided in combination in a single embodiment. 
Conversely, various features of the invention which are for brevity, described in the context of a single 
embodiment may also be provided separately or in any suitable subcombination. 

It is appreciated that various features of the invention which are. for clarity described in the 
25 contexts of separate embodiments may also be provided in combination in a single embodiment. 
Conversely, various features of the invention which are for brevity described in 

the context of a single embodiment may also be provided separately or in any suitable subcombination. 

It is appreciated that the software components of the present invention may, if desired, be 
implemented in ROM (read only memory) form. The software components may, generally, be 
30 implemented in hardware, if desired, using conventional techniques. 

While the above description contains many details, these should not be construed as limitations 

on the scope of the method of the present invention, but rather as an exemplification of at least one 
preferred embodiment thereof. Accordingly, the scope of the present invention should be determined not 
only by the embodiment(s) illustrated including appendices, but also by the appended claims and their 
35 legal equivalents. 
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APPENDIX 

THEORY OF OPERATION 
BACKGROUND FOR THEORY 

Multi-DES is a new cipher based on standard DES with the same 
modification as SuperDES without the bit-slice implementation. For 
5 analysis, we defined a variant of common multiplication wherein the upper 
half of the result is discarded. Differential cryptanalysis using the XOR as 
the differential yielded so many restrictions on the key as to make the 
number of possible characteristics insufficient to recover all possible keys. 
The best characteristics which we were able to find multiplied by the 
10 likelihood of a key satisfying it was approximately the cost of exhaustive 
search. Thus MultiDES is stronger than DES. 

Continuing our analysis, we defined a variant wherein the multiplication is 
done over a field. One example of a field is that generated by multiplication 
modulo 2 n +l (when such a number is prime). Thus, we changed the group 

is differential from XOR to ratio over a field. We attempted to build 

differential distribution tables for the behavior of the input and output ratio 
over the field for the s-boxes. Likewise, we needed such difference tables 
for the combination of the P permutation composed with the E expansion. 
This further decreased the chance of any successful differential. Moreover, 

20 connection from one round to the next of the characteristic cost additional 
probability. 

Because these variants, e.g. where n=16, simply the tables defined were 
large, we, for analysis, defined a reduced variant from 1 2 to 8 bits (with the 
expansion mapping defined accordingly). Likewise, because attack on 16 
25 rounds was difficult, chose to attack two rounds using heavily the properties 
of the Feistel structure of DES. 
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ATTEMPTED CRYPTANALYSIS of METHOD AND MACHINE 

To effectively evaluate the potential of the TMD cipher, we attacked it with 
known cryptanalytic methods. Since the TMD cipher is a tandem 
5 application of two or more MultiDES encryptions we began our analysis by 
studying Differential Cryptanalysis of MultiDES. 

MultiDES replaces the internal XOR in the F round of DES with common 
multiplication. Upon study of differential cryptanalysis, we found that 
substitution of common multiplication for XOR in the F function of DES 
10 yields a cryptosystem which is different from DES. We investigate the 
behavior of the MultiDES input difference K(E'): 

K(E')= (K E) + (K E*) (1) 

Where : 

E' = E + E* (2) 

is Here K is a Key, E' is the XOR input difference (as used in differential 
cryptanalysis of DES), E and E* are input plaintexts^ E"% E and E* are all 
valid expanded texts which obey the e-expansion. 

In differential cryptanalysis we seek input differences to the substitution 
boxes which form the best iterative characteristics, those having the highest 

20 relative probability. Using some of these best choices for characteristics we 
will show MultiDES is stronger than DES in a differential cryptanalysis 
attack based on classical difference distributions. In addition, we will show 
that limitations are placed on the key space for compliance with the best 
characteristics chosen; consequently, weak keys, those that comply with 

25 high probability characteristics and allow a differential cryptanlysis attack, 
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are few. 

Limitations are placed on the possible bit patterns for a valid expanded text 
(E, E*). When a 32 bit text is expanded into a 48 bit text (12 nibbles in Hex 
5 notation) nibbles 2, 5, 8, and 1 1 of the expanded text must be symmetric, in 
the sense that, the two left bits of the nibble must be identical to the two 
right bits of the nibble. This is true, since these particular nibbles have bits 
that are shared by adjacent substitution boxes. This limits the Hex value of 
these nibbles to 0, 5, A, or F. The remaining nibbles must have adjacent 

10 nibble symmetries, in the sense that, the two rightmost bits of nibble i (i=l, 
3, 4, 6, 7, 9, 10, 12) must be identical to the two leftmost bits of nibble i+1. 
Therefore, the expanded text pattern (E, E*) associated with a given 
substitution box (before key multiplication) is limited according to the 
particular nibbles it contains. The result of the common multiplication of the 

is expanded text and the subkey, K(E'), is not required to be a valid e- 

expansion entity. This iterative characteristic can be formed, for a given 
substitution box, from input differences which yield a zero output 
difference with a high probability. 

In particular, for best results, we consider input differences that affect only 
20 isolated substitution boxes. 

In order to meet the isolated substitution box constraint, we have limitations 
on the bit patterns of the two nibbles of the input difference. It is noted for 
convenience, that the nibbles of the input difference for a particular 
25 substitution box are related to the nibbles that enter the particular 

substitution box in the following way. For even numbered substitution 
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boxes (2, 4, 6, or 8), the input difference nibbles are mapped directly from 
the nibbles entering the substitution box (the right nibble of the input 
difference is the right nibble that entered that particular substitution box and 
the left nibble of the input difference is the left nibble that entered that 
5 substitution box ).For odd numbered substitution boxes (1, 3, 5, or 7), the 
bits of the input difference nibbles are not mapped directly to the bits of the 
nibbles entering that substitution box; but rather, the right nibble of the 
input difference is composed of the two leftmost bits of the right nibble 
entering that substitution box with the two rightmost bits of the left nibble 
10 entering that substitution box, while the left nibble of the input difference, is 
composed of the two leftmost bits of the left nibble entering that 
substitution box with the two rightmost bits of a nibble from the previous 
substitution box. For input differences entering an even or an odd 
substitution box the leftmost two bits of the left nibble (of the input 
15 difference) must be zero, since they are in a previous substitution box. In 
addition; since, both E and E* must obey the e-expansion and also not 
affect neighboring substitution boxes, they both have the two leftmost bits 
of their left nibbles and the two rightmost bits of their right nibbles zero. 
Moreover, we note that the two rightmost bits of an input pattern are 
20 conserved over key multiplication (i.e., the two rightmost bits of the input 
pattern K(E') which are obtained after key multiplication with E and E* 
remain zero, as they were in E, E*, irrespective of the key). Therefore, for 
any substitution box, both the two leftmost bits of the left nibble and the 
two rightmost bits of the right nibble, of the input difference, must be zero. 
25 Consequently, the input difference K(E') is limited to the Hex values: 0, 04, 
08, 0C, 10, 14, 18, 1C, 20, 24, 28, 2C, 30, 34, 38, or 3C. For example, in 
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substitution box 4, an input difference of 28 Hex meets all constraints and is 
a candidate from which we can obtain a high probability iterative 
characteristic; since, 

Prob(28-^0) is 16/64-/4. 

5 (It is noted that the only high probability (1/4) entry in any substitution box 
Difference Distribution Table which also obeys the input difference 
constraints listed above is the input difference 28 x in substitution box 4). 

In order to fully understand the behavior of Eq. (1), we first studied a 
version of MultiDES in which common multiplication is performed in each 

10 substitution box independently. The input to a particular substitution box is 
therefore only a product of the expanded text associated with that 
substitution box (a six bit entity) and the bits of subkey associated with that 
particular substitution box (six bits of subkey). The result of the common 
multiplication of two six bit entities is an eleven bit entity. We discard the 

is five bits of the upper half (left half) of the result of the common 

multiplication; and, retain only the six bits of the lower half (right half), and 
use these six bits as the input to the substitution box. 

The input difference of Eq. (1) is not generally conserved with respect to the 
XOR input difference Eq.(2). For the particular case of a zero input XOR 
20 (E' = 0), Eqs.(l) and (2) are equal, and the input difference for MultiDES is 
identical to the XOR case. This case is of no practical use in differential 
cryptanalysis since all keys are equally probable. We now introduce a 
Lemma which will assist in the selection of characteristics. 

25 Lemma : If r is the bit location ( counted from the right of the bit pattern) 
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of the first non-zero bit in the XOR input difference E\ and s the bit 
position 

(counted from the right of the bit pattern) of the first non-zero bit in the key 
K, then the first non-zero bit in the MultiDES input difference K(E') is 
5 located at bit position r + s - 1 (counted form the right of the bit pattern of 
K(E'))- . 

Corollary : E' can only have a unique non-zero bit! 

The corollary results from the observation that Eq. (1) holds together with 
) the conditions of the Lemma, if and only if, when multiplying both E and 
E* by a constant (the key) and XORing the result, an input difference K(E') 
is obtained which is a shifted bit pattern of the key. (For input XOR's, E', 
having more than one non-zero bit, K(E') is not a shifted bit pattern of the 
key.) 

In the case at point, input difference to substitution box 4 having Hex bit 
pattern 28 (101000), r + s -1 = 4. This means there are several choices for 
characteristics: 

r = 4 s = l, 
r = 3 s = 2. 

This constrains the choices of E' and the corresponding keys which can 
give a given K(E'). 

These r values (together with the corollary) limit the input XOR, E% into 
substitution box 4, to 08, and 04 (Hex). 

These s values give us our first constraints on the subkey bits entering 
substitution box 4. Allowable keys have bit patterns of xxxxxl or xxxxlO 
(where x can be arbitrarily 0 or 1). We now show additional constraints on 
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the key bits entering substitution box 4. 
Case r = 4, s = 1 : 

Assume the key, K, has piece entering substitution box 4 with bits k, k 2 k 3 
5 k 4 k 5 k^ (These bits are those entering substitution box 4 and are 

numbered for convenience with respect to this substitution box, but they are 
really bits 19-24 of the subkey, as counted from left to right or bits 25 to 29 
when counted from right to left.) 
Since s = 1, = 1 . 

io Assume E has bits a b c d f g and E* has bits a* b* c* d* F 6 g* ^entering 
substitution box 4. 

To comply with the Lemma and its corollary, E'= 000008000000 (Hex), 
and there fore 3 c must compliment c*. 

Without loss of generality we can write: a = a*, b =b* 9 c <> c*, d = d*, f = 
15 f* and 

g = g*. We can also set c = 1, causing c* = 0. 
Consider the expression: 

E* K = (E ' K) + (E' ' K) 

(3) 

20 

We evaluate the right hand side of Eq. (3). 

(E' K) = (0 0 1 0 0 0) ' (k, k 2 k 3 k 4 1^ 1) whose right half pattern is k 4 ks 
1 0 00. 

25 (E ' K) is unknown and assumed to have bit pattern: A B C D F G. 
(E* * K) is given Eq. (3) and evaluated : 
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A B C D F G 

+ 

k 4 ks 1 0 0 0 
5 A* B* C* D F G 

The following conditions are automatically valid: C <> C*, D = D*, F = 
F* f G = G*. 

In addition; since, K(E') (Eq. <1)) was set at (Hex) 28, (bit pattern I 0 10 0 
io 0), 

A o A*, and B = B*. 

We now examine carry arithmetic involving the bits B, B* ; and A, A* of 
(E * K) and (E* ' K). 

15 Carry arithmetic : 

We are going to calculate carry in the addition: (E * K) + (E' ' K). Suppose 
we have sum U+V=W in binary signature with corresponding bits Uj , Vj and 
Wj in column I 

(i = 0, 1, n). The preliminary value of sum in column i+1 is Sum i+ , = u j+1 
20 + v i+1 + carry;. The real value of sum in column i+1 is Wj+1 = Sum i+1 (mod 
2). Since u 0 +v 0 <= 1 + 1=2 we have carry 0 <= 1. Suppose that 0 .<= carry; <= 
1. Then Sum i+ ,= u i+1 +v i+1 + carry; <= 3. Therefore 0 <= carry i+1 = (Sum i+1 - 
w j+l )/2<=l. 

So always 0 <= cam/: <=1 . w~ Sum r 2 carryj. 
25 In general: 

w; = u ; + Vj + carry i+ , - 2 carry; 
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(4) 

We investigate the carry arithmetic for our conditions B = B*, A <> A*: 

B* = B + k 5 + carry c - 2 carry B 

(5) 

Now B* = B , if and only if, k 5 + carry c - 2 carry B = 0 (mod 2). 

If carry B = 0 then k 5 + carry c = 0(mod 2) but carry c = C, therefore k 5 = 

C. 

If carry B = 1 then k 5 + carry c -2 = 0 (mod 2), but carry c -= C, 
therefore, k 5 + C - 2 - 0 (mod 2) 

If C - 1 then k 5 = 1 , if C = 0 then k^ 0 , therefore k 5 = C 
We conclude that: B* = B if and only if 1^= C. 

A* = A + k 4 + carry B - 2 carry A 



Now A* <> A . if and only if, k 4 + carry B o 0 (mod 2) (since 2 carry A 
mod 2 is 0 for carry A = 0 or 1) , or when k 4 <> carry B . 

Examine two cases C = 0 and C = 1 : 

When C = 0, then 1^ = 0, carry c = 0, carry B = 0 if and only if k 4 =1, 
When C = 1, then k$ = 1, carry c = 1, carry B = 1 if and only if k 4 =0. 
We conclude, that in all cases, the key bits k 4 o kg, and k^ = 1 . 
The input XOR, E\ is limited to two values, 80 and 40 (Hex), which 
comply with an input difference K(E 5 ) of 28 (Hex) after key multiplication. 
The transition 28 (Hex) -> 0, for substitution box 4, occurs with probability 
16/64. This means that only 16 correct pairs (E, E*) exist which yield the 
output difference 0. However, each E' also has an associated 1 6 (E, E*) 
pairs (total of 32 pairs). Therefore, only half the possible (E, E*) pairs are 
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correct ones and this reduces the overall probability by 14 . The probability 
of this characteristic (as shown in Figure 20) becomes ( l A) (Vi) = 1/8 . To be 
useful we must apply this characteristic iteratively over the MultiDES 
rounds. 

5 

Key schedule compliance 

In order to use this characteristic iteratively the conditions on the key bits 
must be obeyed for all sixteen rounds. This must be checked via the key 
scheduling algorithm to ascertain that throughout the sixteen rounds no 

io violations of these conditions are encountered. We used the key schedule of 
DES for our analysis, with the knowledge that even, independently 
generated keys should not severely alter our conclusions. The key schedule 
in DES involves an initial permutation which selects 56 from 64 bits, a 
dividing of the 56 bits into two 28 bit halves, a circular shift left 1 or 2 bits 

15 depending on round number and a permuted choice to select 48 subkey bits. 
At each round a different key bit assumes key bit location (which is 
really key bit location 24, counting from right to left, with: respect to the 
round subkey) and will therefore be constrained to the value 1. Therefore 16 
key bits are constrained to the value 1. In addition 16x2 different key bits 

20 assume key positions k 4> (locations 22 and 23, counting from right to 
left, with respect to the round subkey) and cannot be equal to each other 
Table VI lists key bits occupying key bit locations k 4 , 1^ and during 16 
rounds 

We conclude that: 
25 For odd rounds key bit 18 cannot equal key bit 27. 

This is true since for round 1 , 36 <> 27 and for round 5, 36 <> 9 and for 
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round 9, 

9 o 1 8, therefore 18 <> 27. 

However, we find that in round 1 key bit 1 8 is 1 and in round 5 key bit 27 is 
1, therefore we cannot iterate very far on odd rounds using this 
5 characteristic. 

For even rounds key bit 17 cannot equal key bit 44, 

This is true since for round 8, 26 o 17 and for round 12, 26 <> 35 and for 
round 16 35 <> 44, therefore 17 <> 44. 

However, we find that in round 12 key bit 17 is 1 and in round 8 key bit 44 
is 1, a contradiction. Therefore, we can apply this characteristic for only 15 
rounds (incompatibility occurs in round 16, where bit 44 contradicts with 
bit 35 and therefore with bit 17) with 14 conditions on the key bits. 

TABLE VI 
KEY BITS IN k 4 , k5 and k^ 
ROUND NUMBER BITS IN k 4 , ks (o ) 

BITS IN ^(=1) 



1 


36 


27 


18 


2 


57 


19 


10 


3 


41 


3 


59 


4 


25 


52 


43 


5 


9 


36 


27 


6 


58 


49 


11 


7 


42 


33 


60 


8 


26 


17 


44 
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9 


18 


9 


36 


10 


2 


58 


49 


11 


51 


42 


33 


12 


35 


26 


17 


13 


19 


10 


1 


14 


3 


59 


50 


15 


43 


52 


34 


16 


44 


35 


26 



We conclude that this 14 round characteristic has a probability of: 
PROB [14 rounds] (28 X ^0) S4 = (1 / 2 3 ) 7 = 2" 21 

(7) 

Thus the attack on this modified MultiDES requires ~ 2 23 chosen plaintexts. 
Case r = 3. s = 2: 

Assume the key, K, has piece entering substitution box 4~with bits kj k 2 k 3 
k< ksk*. 

(These bits are those entering substitution box 4 and are numbered for 
convenience with respect to this substitution box, but they are really bits 19- 
24 of the subkey, as counted from left to right or bits 25 to 29 when counted 
from right to left.) Since 
s = 2, kg= land 1^ = 0. 

Assume E has bits a b c d f g and E* has bits a* b* c* d* f* g* ,entering 
substitution box 4. 

To comply with the lemma and its corollary, E'= 000004000000 (Hex), and 
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therefore, d must compliment d*. Without loss of generality we can write: a 
= a*, 

b =b*, c = c*, d <> d*, f = f* and g = g*. We can also set d = 0, causing d* 
= 1. 

Consider the expression: 

E* * K = (E • K) + (E' • K) 

(3) 

We evaluate the right hand side of Eq. (3). 

(E' • K) = (0 0 0 1 0 0) • (k, k 2 k 3 k 4 1 0) whose right half pattern is k 3 k 4 1 
0 0 0. 

(E * K) is unknown and assumed to have bit pattern: A B C D F G. 
(E* ' K) is given Eq. (3) and evaluated : 

A B C D F G 

+ 

k 3 k 4 1 0 0 0 
A* B* C* D F G 

The following conditions are automatically valid: C o C*, D = D*, F = 
F*, G = G*, 

20 carry G , carry F , and carry D , all equal zero. In addition; since, K(E') (Eq. 
(1)) was set at (Hex) 28, (bit pattern 1 0 1 0 0 0), A o A*, and B = B*. We 
investigate the carry arithmetic for our conditions B = B*, A o A*: 

B* = B + k 4 + carry c - 2 carry B 

(8) 

25 

Now B* = B, if and only if, k 4 + carry c = 0 (mod 2), or when k 4 = carry c 
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. But carry c = C, therefore k 4 = C. 



A* = 



A + k 3 + carry B - 2 carry A 



(9) 



Now A* <> A , if and only if, k 3 + carry B <> 0 (mod 2), or when k 3 <> 



Examine two cases C = 0 and C — 1 : 

When C = 0, then k 4 = 0, carry c = 0, carry B = 0 if and only if k 3 =1, 
When C = 1, then k 4 = 1, carry c = 1, carry B = 1 if and only if k 3 =0. 
We conclude, that in all cases, the key bits k 3 <> k 4 , k 5 = 1 and k^ = 0 



The given constraints reduce the overall probability by X A (as noted in 
discussion of previous case). The probability of the input difference to 
achieve the desired output difference in substitution box 4; i.e, 
Prob[28 x ->0] S4 is l A ; therefore, the probability of this characteristic is 



is (l/4)(l/2) = 1/8. To be useful we must apply this characteristic iteratively 
over the MultiDES rounds. 

We check for compliance with the key schedule. Table VII is a list of 
subkey bits which occupy key positions k 3 , Iq, and k^. 
20 We conclude that: 
For odd rounds: 

From Table VII (round 1) key bit 1 cannot equal key bit 36; however, from 
Table VI we find that key for round 1 3 key bit 1 = 1 and for round 9 key bit 
36 = 1. Other contradictions exist. 
25 For even rounds: 

From Table VII, k 3 cannot equal k 4 ; however, in round 2 k 3 = 58 and in 



5 



carry B 



10 
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round 6 

k 4 = 58. In addition, for round 4 k 3 = 26 and in round 8 k 4 = 26. 
Therefore, we cannot apply this characteristic for 16 rounds. 
This characteristic is useless for a complete differential cryptanalysis attack. 
5 It may be useful for independent keys which are not constrained to the DES 
key schedule algorithm. 

MultiDES, general case 

We proceed to apply our methodology used on the isolated substitution box 
10 case, to the general case of MultiDES, in which common multiplication may 
affect neighboring substitution boxes. Again we will show MultiDES is 
stronger than DES in a differential cryptanalysis attack, and that the key 
soace for compliance with hieh probability characteristics is limited, and the 
probability of success for the limited key space is less than in an attack 
is against DES. 

In order to apply the techniques used previously, we note, that only for the 
first substitution box can the affect of common multiplication resemble the 
isolated substitution box case. Multiplying two bit patterns each of length i, 
results in a bit pattern of length 2i-l. This causes bit patterns of an input 

20 difference E' (E XOR E*) belonging to a higher substitution box, to affect, 
after key multiplication, the input difference pattern K(E') of a lower 
substitution box. Since we can choose the bit pattern of E' so that all bits 
not associated with substitution box 1 are set to zero (e.g., bits 1-42, 
counting from right to left of the round subkey), the desired substitution box 

25 will not be affected after key multiplication, by bit patterns of E\ or of 

those of the key, that were not associated with substitution box I before the 
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multiplication. 

TABLE VII 
KEY BITS IN k 3 , k 4 and k 5 
ROUND NUMBER BITS IN k 3 , k 4 (<> ) 

BITS IN k s (=1) 



1 


1 


36 


27 


2 


57 


58 


19 


3 


42 


41 


3 


4 


26 


25 


52 


5 


10 


9 


36 


6 


59 


58 


49 


7 


43 


42 


33 


8 


27 


26 


17 


9 


19 


18 


9 


10 


3 


2 


58 


11 


52 


51 


42 


12 


36 


35 


26 


13 


49 


19 


10 


14 


33 


3 


59 


15 


17 


52 


43 


16 


9 


44 


35 



Moreover, for substitution box I we have no concern with bit interaction to 
a lower substitution box as a result of the multiplication step. We therefore, 
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select substitution box 1 for our attack. The input difference, K(E 5 ), into 
substitution box 1 must only affect this box; hence, the last two bits of its 
bit pattern must be zero. Moreover, we seek an input difference which 
yields an iterative characteristic of the form shown in Fig. 12, i.e., one 
5 yielding a transition to an output difference of zero with high probability. 
The highest probability input difference for substitution box 1 yielding 
output difference zero (obtained from the Difference Distribution Table) is 
28 (Hex), with probability: 

10 Prob (28->0) is 12/64 = 3/16 

Applying the Lemma to 28 (hex) ( bit pattern 101000), in substitution box 
1, gives r +s -1 = 46, or r + s = 47 (counting from the right, bits 43-48 enter 
substitution box 1). As noted previously, E ? E* and E' must be valid 
e-expansions and E' not affect previous or next substitution boxes. The 

is nibbles 

entering substitution box 1 are nibbles 1 and 2 of the input XOR, E' (all of 
nibble 1 

and the leftmost 2 bits of nibble 2). To be a valid e-expansion, nibble 2 must 
be 

20 either 0, 5, A, or F. Only 0 for nibble 2 agrees with the condition that the 
input XOR 

will have its two rightmost bits both zero. This limits the possibilities for an 
E' associated with substitution box 1 to 00, 10, 20, 30. E ,= = 00 is not useful 
for a differential attack .Applying the Lemma to the case at point, input 
25 difference to substitution box 1 having Hex bit pattern 28 (001010), r + s -1 
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= 46, r + s = 47. This means there are several choices for characteristics: 

for r = 46, s = 1 (E' = 20, 30) 

for r = 45, s = 2 (E' = 10) 
Applying the Corollary of the Lemma, we eliminate E'=30 (Hex). 
This constrains the choices of E' and the corresponding keys which can 
give a given K(E'). 

These r values (together with the corollary) limit the input XOR, E', into 
substitution box 1, to 20, and 10 (Hex). : 
These s values give us our first constraints on the subkey bits entering 
substitution box 1 . Allowable keys have bit patterns of xxxxxl or xxxxlO 
(where x can be arbitrarily 0 or 1). We now show additional constraints on 
the key bits entering substitution box 1 . 

We select r = 46 or E' = 20 (Hex) (with bit pattern 0 01 0 0 0 0 0), giving s 
= 1, and 

therefore the last bit of the subkey entering substitution box 1, = 1. 
In an analysis identical to that for the isolated substitution box case, (and 
repeated here, in part, for convenience) we obtain the following: 

(E . K) : A B C D F G 

+ 

(E' . K) : k4 ks 1 0 0 0 

A* B* C* D* F* G* 

Therefore C o C*, D = D*, F = F*, and G = G*, with carry G , carry F: 
carrv D> all equal zero (carry,,, the carry into G* is also zero since bits 1- 
42, conting from right to left, of E' are all zero) and carry c = C. 
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Since our input difference K(E') = 28 (Hex), A XOR A* - 1, B XOR B* = 
0, and A <> A*, and B = B** 



We examine the carry arithmetic for B, B* and A, A*. 
5 B = B* + k 5 + carry c -2carry B 

,»(5) 

B = B* if and only if 1% +carry c = 0 (mod 2), -2 carry B is zero mod 2 for 
carry B == 0 or L 
10 Therefore, ks = carry c . But carry c = C, therefore k 5 = C. 

A = A* + k4 +carry B -2carry A 

(6) 

A o A* if and only if k 4 +carry B <> 0 (mod 2), therefore k 4 <> carry B . 
is Examine two cases C = 0 and C = 1 : 

When C = 0, then kg = 0, carry c = 0, carry B = 0 if and only if k 4 =1, 
When C = 1, then 1^=1, carry c = 1, carry B = 1 if and only if k 4 =0. 
We conclude, that in all cases, the key bits k 4 <> k^, and k^ = L 



20 The input XOR, E', is limited to two values, 10 and 20 (Hex), which 

comply with an input difference K(E') of 28 (Hex) after key multiplication. 
The transition , 28 (Hex) -> 0, for substitution box 1, occurs with 
probability 12/64. This means that only 12 correct pairs (E, E*) exist which 
yield the output difference 0. However, each E' also has an associated 12 

25 (E, E*) pairs (total of 24 pairs). Therefore, only half the possible (E, E*) 
pairs are correct ones and this reduces the overall probability by l A . 
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Therefore, the probability for this iterative characteristic is: 

PROB [1 round] (28 X ->0) S1 = (l/2)*(3/2 4 ) = 2" 3 * 42 (10) 

To be useful we must apply this characteristic iteratively over the MultiDES 
rounds. 

5 In order to use this characteristic iteratively we check the key schedule for 
compliance. We find conflicts with the key schedule for round 16. 
Therefore, we can only use this characteristic for 14 rounds. 
We conclude that this 14 round characteristic has a probability of: 

PROB [14 rounds] (28 X -^0) S1 = (2" 3 ' 42 ) 7 = 2 -23 ' 94 ~2' 24 (11) 

10 In summary we note the following: 

This probability is for a given best characteristic, which applies only to 
specific keys. Such keys are rare. In the case above, although the 
characteristic has probability ~ 2' 24 , it only applies to 2" 28 of the possible 
keys. Thus we conclude, their exists many keys for which there are no good 

is characteristics by which to attack them. Therefore, MultiDES and its 
variants are cryptographically stronger than DES. 
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TABLE II 



E - Expansion 



32 


1 


2 


3 


4 


5 


4 


5 


6 


7 


8 


9 


8 


9 


10 


11 


12 


13 


12 


13 


14 


15 


16 


17 


16 


17 


18 


19 


20 


21 


20 


21 


22 


23 


. '24 


25 


24 


25 


26 


27 


28 


29 


28 


29 


30 


31 


32 


1 



5 TABLE III 

Substitution Boxes 





0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


14 


4 


13 


1 


2 


15 


11 


8 


3 


10 


6 


12 


5 


9 


0 


7 


1 


0 


15 


7 


4 


14 


2 


13 


1 


10 


6 


12 


11 


9 


5 


3 


8 


2 


4 


1 


14 


8 


13 


6 


2 


11 


15 


12 


9 


7 


3 


10 


5 


0 


3 


15 


12 


8 


2 


4 


9 


1 


7 


5 


11 


3 


14 


10 


0 


6 


13 


Substitution box 2 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


15 


1 


8 


14 


6 


11 


3 


4 


9 


7 


2 


13 


12 


0 


5 


10 


1 


3 


13 


4 


7 


15 


2 


8 


14 


12 


0 


1 


10 


6 


9 


11 


5 


2 


0 


14 


7 


11 


10 


4 


13 


1 


5 


8 


12 


6 


9 


3 


2 


15 


3 


13 


8 


10 


1 


3 


15 


4 


2 


11 


6 


7 


12 


0 


5 


14 


9 


Substitution box 3 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


10 


0 


9 


14 


6 


3 


15 


5 


1 


13 


12 


7 


11 


4 


2 


8 
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1 


13 


7 


0 


9 


3 


4 


6 


10 


2 


8 


5 


14 


12 


11 


15 


1 


2 


13 


6 


4 


9 


8 


15 


3 


0 


4 


7 


2 


12 


1 


10 


14 


9 


3 


1 


10 


13 


0 


6 


9 


8 


7 


4 


15 


14 


3 


11 


5 


2 


12 


Substitution box 4 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


7 


13 


14 


3 


0 


6 


9 


10 


1 


2 


8 


5 


11 


12 


4 


15 


1 


13 


8 


11 


5 


6 


15 


0 


3 


4 


7 


2 


12 


1 


10 


14 


9 


2 


10 


6 


9 


0 


12 


11 


7 


13 


15 


1 


3 


14 


5 


2 


8 


4 


3 


3 


15 


0 


6 


10 


1 


13 


8 


9 


4 


5 


11 


12 


7 


2 


14 


Substitution box 5 




0 


1 


2 


3 


4 


5 


6 


7 . 


8 


9 


10 


11 


12 


13 


14 


15 


0 


2 


12 


4 


1 


7 


10 


11 


6 


8 


5 


3 


15 


13 


0 


14 


9 


1 


14 


11 


2 


12 


4 


7 


13 


1 


5 


0 


15 


10 


3 


9 


8 


6 


2 


4 


2 


1 


11 


10 


13 


7 


8 


15 


9 


12 


5 


6 


3 


0 


14 


3 


11 


8 


12 


7 


1 


14 


2 


13 


6 


15 


0 


9 


10 


4 


5 


3 


Substitution box 6 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


12 


1 


10 


15 


9 


2 


6 


8 


0 


13 


3 


4 


14 


7 


5 


11 


1 


10 


15 


4 


2 


7 


12 


9 


5 


6 


1 


13 


14 


0 


11 


3 


8 


2 


9 


14 


15 


5 


2 


8 


12 


3 


7 


0 


4 


10 


1 


13 


11 


6 


3 


4 


3 


2 


12 


9 


5 


15 


10 


11 


14 


1 


7 


6 


0 


8 


13 


Substitution box 7 




0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


4 


11 


2 


14 


15 


0 


8 


13 


3 


12 


9 


7 


5 


10 


6 


1 


1 


13 


0 


11 


7 


4 


9 


1 


10 


14 


3 


5 


12 


2 


15 


8 


6 


2 


1 


4 


11 


13 


12 


3 


7 


14 


10 


15 


6 


8 


0 


5 


9 


2 


3 


6 


11 


13 


8 


1 


4 


10 


7 


9 


5 


0 


15 


14 


2 


3 


12 



15 
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Substitution box 8 





0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


0 


13 


2 


8 


4 


6 


15 


11 


1 


10 


9 


3 


14 


5 


0 


12 


7 


1 


1 


15 


13 


8 


10 


3 


7 


4 


12 


5 


6 


11 


0 


14 


9 


2 


2 


7 


11 


4 


1 


9 


12 


14 


2 


0 


6 


10 


13 


15 


3 


5 


8 


3 


2 


1 


14 


7 


4 


10 


8 


13 


15 


12 


9 


0 




5 


6 


11 



TABLE IV 

P - Permutation 



16 


7 


20 


21 


29 


12 


28 


17 


1 


15 


23 


26 


5 


18 


31 


10 


2 


8 


24 


14 


7 -) 


*"> T 
^ / 


j 


y 


19 


13 


30 


6 


22 


11 


4 


25 
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TABLE V 

S-BOXESfrom DES prior art, in different format 
static char si[8][64] = {14. 4, 13, 1, 2, 15, 11. 8. 3, 10, 6. 12, 5, 9, 0. 7, 0, 15. 7. 
4, 14, 2, 13. 1, 10, 6. 12, 11, 9, 5, 3, 8. 4. 1, 14, 8, 13, 6. 2, 11, 15, 12, 9, 7, 3, 10, 
5 5, 0. 15, 12. 8. 2, 4. 9. 1. 7. 5, 11. 3, 14, 10, 0, 6. 13, 15, 1. 8. 14, 6, 11, 3. 4. 9, 

7. 2, 13. 12, 0, 5. 10. 3. 13, 4, 7, 15. 2. 8, 14, 12, 0, 1, 10, 6. 9, 11, 5. 10, 14. 7, 
11, 10, 4. 13, 1, 5. 8. 12. 6, 9. 3. 2. 15. 13. 8. 10. 1. 3. 15. 4. -2. 11, 6. 7, 12, 0, 5. 

14. 9, 10. 0. 9. 14. 6. 3, 15. 5. 1. 13, 12, 7. 11, 4, 2, 8. 13, 7, 0. 9, 3. 4, 6, 10, 2. 

8. 5. 14. 12. 11. 15. 1. 13, 6. 4. 9. 8. 15. 3, 0, 11. 1, 2. 12, 5, 10, 14, 7, 1, 10, 13, 
10 0, 6. 9. 8. 7. 4. 15. 14. 3. 11. 5, 2. 12. 7. 13. 14, 3. 0. 6. 9. 10, 1. 2. 8, 5, 11, 12. 

4. 15. 13, 8. 11, 5, 6, 15. 0, 3. 4, 7, 2, 12, 1, 10, 14. 9, 10. 6. 9. 0, 12. 11. 7. 13. 

15, 1. 3. 14. 5. 2, 8. 4. 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5. 11, 12, 7, 2. 14, 2, 12, 4. 

I. 7. 10. 11. 6, 8. 5. 3, 15, 13. 0. 14. 9. 14. 11. 2, 12. 4. 7. 13. 1. 5. 0. 15, 10. 3, 9. 

8, 6, 4, 2, 1, 11, 10, 13, 7, 8, 15, 9. 12, 5. 6, 3, 0. 14. 11. 8. 12, 7. 1. 14. 2. 13. 6. 
15 15, 0. 9. 10, 4. 5, 3, 12. 1. 10, 15, 9. 2, 6, 8, 0, 13, 3. 4,.14,_7, 5, 11, 10. 15. 4, 2, 

7. 12. 9. 5. 6. 1, 13. 14, 0. 11. 3. 8. 9. 14, 15. 5, 2. 8, 12, 3, 7, 0, 4. 10, 1. 13, 11, 
6, 4. 3. 2. 12, 9, 5. 15, 10, 11, 14, 1. 7, 6, 0, 8. 13. 4. 11, 2. 14, 15. 0. 8. 13. 3. 12. 

9. 7. 5. 10. 6, 1. 13, 0. 11, 7, 4, 9. 1, 10. 14. 3. 5, 12. 2, 15. 8. 6. 1. 4. 11. 13. 12, 
3, 7. 14. 10. 15. 6. 8. 0. 5. 9. 2. 6. 11. 13. 8, 1. 4. 10. 7. 9. 5. 0. 15. 14, 2. 3. 12. 

20 13, 2. 8. 4. 6. 15. 11. 1. 10. 9. 3. 14. 5. 0. 12. 7, 1. 15, 13, 8. 10, 3. 7. 4. 12. 5. 6. 

II. 0, 14, 9, 2. 7. 11. 4. 1. 9. 12. 14. 2, 0. 6. 10, 13, 15. 3. 5. 8. 2, 1. 14. 7. 4. 10. 

8. 13, 15. 12. 9. 0. 3. 5. 6. 11}; 
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APPENDICES: Add - PES (detailed analy gigi 
In DOS there are iwo XOR - operation* in each round. The first XORs the cxp&dcd input with the subkey 
wuh.n the F function while the other XORs. the output of the P function with tge other half of cbc input 
data. Ifce knowing descries the possible modificaiion of DZS which replace the XOR with the F 
function hy addition operation. This variant of cryptosistcm we call ' add - DBS*" 
Wc arc going to apply the technique of differential crvpianalysis to add DES/ 
First of all some preliminary remarks mainly of heuristic character. 

1 . According to general scheme of Biham and Shamir [BiSh93] we must choose the proper 
characteristic as a ha.se for iterative characteristic. The term -proper" means that its probability must 
he better then probability or known one for original version of DCS / * We^vant to compare the 
cryptographic strength of both systems with initial conjecture that add . DBS is weaker than DES * / 

2. Simple observation shows that the key addition of key K to each member of plain texts pair (E.n*> in 
general does change the XOR result E' = E+E* of this pair: 

K(E> ' - <K+E) S (K+E*) * E+E* = E ' 

3. Therefore one must describe the necessary conditions on right (P.P*) pair and tiiavhc on -weak kcy«c" 
/ * a priori, wc do not know whether w e can develop a successful attach on any key. or only on special 
"weak" one * / winch imply possibility of evaluation XOR result K(E)' alter key addition. 

4. Such possibility permits us to choose efficiently (P,P*) pair with prescribedKOR K(E)' for which one 
can apply diftcrcnt distributive tables DDT with best possible probability. 

5. However what wn* said in paragraph 2. there i* « class of <P,P*> pairs, for which addition conserves 
the XOR result, wc mean (E.E*) pair with E'*=0 . i.e. E=E*. Therefore when the XOR of the pairs 
are zero the output* arc equal too which makes all the keys equally likely. 

6. The above point implies that we must try (E.E*) pair with E'*0. In this case wc obtain tlu.- „«m 
invariant: Key addition conserves ihc .portion of the last noo zero bit i ng y XOK. 

7. If this last nun wo bit in E' - XOR belongs to Sj - box then we can say sonfcthing more definite about 
us position in 5: it i * $ then the.iastJLwg.bits of XOR - input for S, - arc /.cxq. 

Indeed otherwise according to definition of E - expansion , the last two bitsSn S t bo* coincide exactly 
with leading two bits of S„< box This contradicts with the choice of S, box. 

8. One can prove such statcmeoi: J£Si _rJiie.oidy S.bQXJXH- which E'jdifier fiam zero. L' *■ (K man for 
iwMi-y K the pjcQbabiliiy.j«UJ^^jai=-0. 

9. The proot of above statement shows that the result XOR of key - addition Kafe') =(K+E)©(K+E*) in 
this last important S; - box can be only one of the next values /* in hex signature */ N, = 4, K. C. 1 0. 
I4 A . 1 X„ 1C.. 20,. 24,. 28,. 2C A . 30,. 34 It 3S„ 3C,. Therefore one can choosenhc best candidates fur 
an attack: rhe best important S ; box together- with proper . For example- 

Si ^ S*. and N, = 28, = 101000. 

10. Some remar k s about ca rry. We are going to calculate all carry in both additions: K+E and K+E*. 
Suppose we have sum U+Vt=\V in binary signature with corresponding hits . v, and w, in i-th 

column, i « 0. I n. The preliminary value of sum in i+1 - th column is Sum >Tl = u H , + v^, + 

carry,. The real value of sum in i+I - th column is w i+ | = Sum,,, (mod 2). Since u.i+v„ 1 + 1=2 wc 
have carry„ <= I . Suppose that 0 carry, <= 1 . Then Sunv,- u iTl +v iM + carry; X Therefore 0 
carry^,s (Sum J(r ^,) / 2 <= 1 . So always 0 <= carxyi <= I . w i= Sunv 2 c<irry,. 

1 1. Now we can research an attack in [BiSh93]: The last important S - box is S^N^ 28. with p < N. -> 0 
) «= 16/64 (the best possible probability for an isolated S - box. The pair < P>* ) of plaintext wich 
XOR V of right halves. V = OOOcOOOO = 0000 which after E - expansion in' 

0000 
0000 
MOO 
0000 
0000 
0000 
0000 

the firsr round transfers into the E' = 000000 = 000058000000. 

oooooo 



SUBSTITUTE SHEET (RULE 26) 



BNSDOCID: <WO. 



990841 1A2J_> 



WO 99/08411 



PCT/IL98/00369 



93 

000001 
011000 

oooooo 

000000 

oooooo 
oooooo 

The authors |BiSrW;*| declare thai the addition of the key K cause the inputtXOR to become 
K(F) ' = <K+E)®(K+L*) = 00002SOOOOOO =000000 

000000 

OOOOOO 

101000 

(KKKXK) 

OOOOOO 

OOOOOO 

OOOOOO 

wifh probability of 1/16. Lei us consider an arbitrary ( E,H* ) pair with fixed gives E' - XOR 
According to choice wc have for S3 and Sj boxes: 

Si St S< 

K = . . - - a b x y 7. t . . .... a b* x . y m z i . . . = F< 



+ 



| K*. A B X Y Z T . . . . . A B X Y Z T . . . = K 

I K+E = . . . A B X V Z T . . . . A-fi- X- V* Z- T- . . . = K+E 

! ( Here i he symbols b and b* denote opposite values. ) 

We denote corresponding carry in a-, b-. x-. y-. ... position for K + E and E* by carrv M .carr>. 

and by carry /. carry,, +, ... respectively. 

Let us ntakc some observations about such carries, 
j 1 2. From the above ( paragraph number 10); 

j A = a + A + cairyi, - 2carry, ; A* = a + A + carry/ - 2earry/. 

j According to assumption about key addition; A* = A hence carry b - 2carry a = carry,.* - 2carry. *. 

j Suppose that carry* * carry/. Then one of the parts of both equations has viaiue. belonging to 

| {0, -2} while the other belongs to {1. -1 J. Since {0. -2| r> ( (. -I ) = 0 ihtejis contradiction. 

Therefore canyi. = vurov* and as a consequence ..caro;^ scarry.-,* . 
' 13. Without loss of generality one can assume thai b -O.b'sl. In other case we can swap 1 and 1*. 

B = b + U + carry* - 2carry b : B* = b x + B + carry/ - 2carry K V 
j Since 8 = B* wc have carry* = I + carry,*. Therefore carry* = I and carry/ = O . 

14. X - x + X + carry, - 2carry Jl ; X* c x + X + carry** - 2carry/. 

i According lo assumption X* = X\ so -( x+X ) = carry, - 2 - X : -( x+X ) = carry/ - X' 

! hence carry Y - 2 - X = carry,* - X\ Therefore: 

carry, = carry/ + 2 + { XX ) >= carry/ + 2 + ( 0- 1 ) = carry/ + 1 > carry/. 
X>=();X t <=l 

Thus carry j = I and carry / — 0 

15. Vey + Y + carry,. - 2carry r : V*cy + Y + carry/ - 2carry v * 

; According to assumption Y* = V, so y + carry, - 2 - y + carry,* or y - y* <..2 = carry/ - carry* . 

j However y - y* - 2 = - 1 . if y » I while carry/ - carry, « -l .if carry,* < carry, 

; -3 . if y = 0 0 . if carry/ = carry, 

\ I . if carry/ > carry, 

Therefore for the only common value of both parts, equal I , we have y = Latul y x = <> - 

16. Wc see that b = 0, y = I and b x = I , y* = 0. The value of h- and y- bits in Ef likely as value of 
corresponding bits in E* ) are opposite to each other. However from the definition of E - expansion 
these value must be coincide. This is contradiction. So. instead of staicmenvthe authors: 

There does nm exist such a key K, that its addition cause the input XOR E' = 000(>5XO(>0<MX) u> 
become K{\i) ' = 000028000000. 
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WHAT IS CLAIMED: 

(1) A method for operating a general purpose data processor to enable said data 
processor to encrypt, the method comprising the steps of: 

(a) employing an arithmetic operation on a plurality of single size inputs yielding 
5 said plurality size single result, and 

(b) folding a distinct single size portion of said result in said plurality companion 
executions. 



(2) A machine for encrypting plain text-derived-input comprising: 
10 (a) a memory providing the s-boxes of DES as numbers, and 

(b) a combiner combining said numbers on a bit-by-bit basis 
with limited carry into the stream of said plain text-derived-input. 

(3) A method for a cryptographic primative to enable a data processor to perform said 
15 cryptographic primative on plain- text derived input, the method comprising the steps of: 

(a) selecting a cryptographically suitable mask depending on information available 
within the round function selected from the group of round number, block number, 
and data being encrypted, and 

(b) combining said mask into stream of said plain text-derived-input. 

A cryptobox machine comprising: 

(a) a plain text provider providing a plain text, 

(b) a subkey provider providing a plurality of subkeys, 

(c) a cryptobox employing said plain text and said subkeys to generate new 
subkeys, and 

(d) a connector providing said new subkeys to another cryptobox to process 
more plain texts. 



20 

(4) 



25 



(5) A method for implementing substitution boxes in logic gates on a 32-bit 
30 microprocessor, the method comprising the steps of: 

(a) calculating combinations of 32-bit variables for repeated usage, and 

(b) employing 32-bit equations which accurately calculate a value of a single bit of 
output of the substitution box using the results of step (a). 

35 (6) A machine for data scrambling comprising a local scrambling operation and a 
permutation distributing bits from output of a given local scrambler to input of other local 
scramblers, comprising: 

(a) a local scrambler P which distributes four outputs among eight possible boxes, 

and 
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(b) a global scrambler PP which distributes a plurality of outputs among groups of 
possible s-boxes to effect an extended P permutation. 

(7) A DES encryption method comprising: performing N DES rounds, including, for at 
5 least one l<-n<=N, performing an n'th DES round on a subkey and a plain text derived 

input to said n'th round wherein addition is substituted for exclusive-or in performing said 
n'th DES round, wherein a subkey is defined for each of said N rounds. 

(8) A WDES encryption method comprising: performing a plurality of rounds of 
10 WDES encryption, each round using a round function F; wherein, for the round function F 

of at least one round, a form of multiplication is substituted for exclusive-or. 

(9) A method for performing a round function of an iterated encryption for a plurality 
of 32-bit input blocks, the steps of the method being performed by a data processor, the 

15 method comprising the steps of: 

(a) numbering the plurality of input blocks from "0" to "n" with an input block 
number; 

(b) splitting each of the plurality of input blocks into an upper half and a lower half 
to produce plain text-derived input; 

20 (c) combining said plain text-derived input with a plurality of round-dependent 

subkeys according to a form of multiplication to form a blended product; 

(d) applying a plurality of s-boxes of the F function of a DES encryption algorithm 
to said blended product; and 

(e) applying the P permutation of the F function of a DES encryption algorithm to 
25 output of step (d). 

(10) The method of claim 9, further comprising: 

(a) applying said plurality of s-boxes in bit-slice form using logic gates. 

30 (11) The method of claim 9, further comprising: 

(a) selecting a mask determined according to a criteria selected from the group of a 
number of a round being performed and said input block number, and 

(b) combining said mask with said plain text-derived input. 

35 (12) The method of claim 9, wherein said form of multiplication features the steps of: 
(I) multiplying a plurality of bits from said plain text-derived input and a plurality 
of bits from said plurality of round-dependent subkeys to form a common 
multiplication product; and 
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(II) performing an exclusive-or function on a plurality of bits from said plain 
text-derived input and a plurality of bits from said plurality of round-dependent 
subkeys to form a balanced product. 

5 (13) The method of claim 12, wherein the step of combining said plain text-derived 
input with a plurality of round-dependent subkeys further comprises the steps of: 

(III) performing an addition function on said common multiplication product and 
said balanced product to form a pseudo-random product. 

10 (14) The method of claim 13, wherein the step of combining said plain text-derived 
input with a plurality of round-dependent subkeys further comprises the steps of 
performing a thorough folding operation on two pseudo-random products as follows: 

(IV) folding upper half of first pseudo random product into lower half of second 
pseudo random product to form first result, 

15 (V) folding lower half of first pseudo random product into upper half of second 

pseudo random product to form second result, and 

(VI) concatenating first result to second result to form folded product. 

(15) The method of claim 14, wherein the step of combining said plain text-derived 
20 input with a plurality of round-dependent subkeys further comprises the steps of 
performing a blending operation on two folded products as follows: 

(VII) concatenating lower half of first folded product with upper half of second 
folded product to form said blended product. 

25 (16) The method of claim 14, wherein said folding operation is exclusive-or. 

(17) A machine for performing a cryptographic primative comprising: 

(a) a key-inserter which employs a form of multiplication for key insertion, 
whereby block length of the cryptographic primative is extended. 

30 

(18) A machine according to claim 17, wherein said form of multiplication in said key 
inserter comprises: 

(a) a multiplier which performs an operation as follows (a*b)'(a exclusive-or b). 

35 (19) A machine according to claim 17, further comprising: 

(a) an associator embodying a look-up-table implemented by bit-slicing. 

(20) A machine according to claim 17, further comprising: 

(a) a multiplier which performs an operation in chunks as least as large as a byte. 
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(21) A machine according to claim 17, further comprising: 

(a) a multiplier which performs individual multiplications over a Fermat filed with 
only a less than a logarithmic, in size of the field, number of exceptions. 

5 

(22) A machine according to claim 17, wherein said form of multiplication in said key 
inserter comprises: 

(a) a multiplier, performing common multiplication of arguments to yield a 
product, 

10 (b) a designator, designating the upper and lower half of said product, 

(c) a combiner, combining the upper half with the lower half using exclusive-or to 
form a final product, whereby the final product maintains behavior of modulo 
multiplication without the clear algebraic structure. 

15 (23) A machine according to claim 17, wherein said form of multiplication in said key 
inserter comprises: 

(a) a first multiplier, performing common multiplication of arguments to yield a 
first product, 

(b) a second multiplier, performing common multiplication of other arguments to 
20 yield a second product, 

(c) a first designator, designating a upper and lower half of said first product, 

(d) a second designator, designating a upper and lower half of said second product, 

(e) a first combiner, combining the upper half of the first product with the lower 
half of the second product using exclusive-or to form a first final product, 

25 (f) a second combiner, combining the upper half of the second product with the 

lower half of the first product using exclusive-or to form a second final product, 
whereby enabling folding the result of the form of multiplication with a companion 
execution. 

30 (24) A machine according to claim 17, wherein said form of multiplication in said key 
inserter comprises: 

(a) a multiplier to perform multiplication on a plurality of arguments to form a first 
product; 

(b) a first combiner to perform exclusive or on said plurality of arguments to form a 
35 second product; 

(c) a second combiner to perform addition between said first product and said 
second product to form a gorilla product. 
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(25) A folding machine according to claim 24 wherein said gorilla product is provided 
to a machine comprising: 

(a) a counter which counts said plurality of arguments, calling it n\ 

(a) a repeater which provides a new set of arguments and calculates n gorilla 
5 products; 

(b) a splitter which divides each gorilla product into n pieces, each with index i 
from /..«; 

(c) a combiner which combines using exclusive-or n pieces such that the combine 
will take exactly one piece from each gorilla product, and exactly one piece of any 

10 gorilla product with the index i for all 1, such that said combiner yields a plurality 

of n folded products. 

(26) A method for constructing a key schedule for an encryption algorithm, the steps of 
the method being performed by a data processor, the method comprising the steps of: 

15 (a) determining a first set of at least one subkey for the encryption algorithm; 

(b) encrypting a master key according to the encryption algorithm by using said 
first set of at least one subkey to product a cipher text; 

(c) repeating step (b) for at least a first number of rounds required to achieve 
dependence of every bit of said cipher text on each bit of said master key; 

20 (d) repeating step (b) for an integral number of rounds, said integral number being 

at least one, extracting subkeys from output of said round(s). 

(e) repeating step (d) until a second set of subkeys has been generated. 

(27) The method of claim 26, further comprising the steps of: 

25 (i) deriving said first set of at least one subkey from DES s-box entries. 

(28) The method of claim 26, further comprising the steps of: 

(i) deriving said second set of at least one subkey from the group of the output and 
intermediate values of round function in the encryption algorithm. 

30 

(29) The method of claim 26, further comprising the steps of: 

(f) encrypting said cipher text with said second set of at least one subkey according 
to the encryption algorithm to produce further encrypted cipher text, such that a third 
set of subkeys is created for use in encryption of actual plain text. 



35 



(30) A symmetric cryptobox machine comprising: 

(a) circuits employing at least a 128-bit key and block size. 

(31) A machine according to claim 30, wherein 
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(a) said circuits providing large key size are implemented by employing circuits 
providing a large block size. 

(32) A machine according to claim 30, further comprising: 
5 (a) an optimal sorting network performing combining. 

(33) A method for operating a general purpose data processor of known type to enable 
said data processor to encrypt employing a key schedule the method comprising the steps 
of: 

10 (a) feeding the full set of 64 key bits per block into a rearranged PC2 from DES. 

(34) A method according to claim 33, further comprising: 

(i) adding four to entries of PC2 with values above 28, prior to first usage in claim 

33. 

15 

(35) A method according to claim 33, further comprising: 

(i) performing key schedule rotation 64 bits at once rather than two groups of 32 

bits. 

20 (36) A method according to claim 33, further comprising: 

(i) causing sub key to depend on the serial number of the parallel execution. 

(37) A method according to claim 33, further comprising: 

(i) deriving sub key by finding a multiplicative inverse over a field. 

25 

(38) A method according to claim 33, further comprising: 

(i) replacing zero sub key by a round dependent mask value. 

(39) A method for automatically protecting confidentiality of information stored on a 
30 persistent storage medium, the information being organized into a plurality of files, the 

steps of the method comprising: 

(a) protecting a plurality of files of an automatic file-by- file basis, such that each 
of said plurality of files is automatically protected individually according to the 
steps of: 
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(i) using a cryptosystem to encrypt said at least one file, thereby generating an 
encrypted file; and 

(ii) storing said encrypted file on the persistent storage medium. 

5 (40) A method for protecting confidentiality of information written on a hard disk, the method 
comprising: 

(a) encrypting a file having a selectably known file key according to a first symmetric 
cryptosystem; and 

(b) encrypting said selectably known file key using a second symmetric cryptosystem and 
10 a selectably known master key derived from a selectably known pass phrase using a third 

symmetric cryptosystem wherein said third symmetric cryptosystem is operative as a 
cryptographically strong hash function. 

(41) The method of claim 40, wherein said first and said second symmetric cryptosystems are 
15 identical. 

(42) The method of claim 41, wherein said first, said second symmetric and said third symmetric 
cryptosystems are performed on a plurality of 32-bit input blocks, according to the steps of: 

(i) numbering the plurality of input blocks from "0" to "n" with an input block 
20 number; 

(ii) splitting each of the plurality of input blocks into an upper half and a lower 
half to produce plain text-derived input; 

(iii) combining said plain text-derived input with a plurality of round-dependent 
subkeys according to a form of multiplication to form a blended product; 

25 (iv) applying the P permutation of s-boxes of the F function of a DES encryption 

algorithm to said blended product; and 

(v) applying the P permutation of the F function of a DES encryption algorithm to 
output of step (iv). 

30 (43) The method of claim 40, wherein said first and said second symmetric cryptosystems are 
substantially different. 

(44) The method claim 40, wherein at least one of said first, said second and said third symmetric 
cryptosystems are performed on a plurality of 32-bit input blocks, according to the steps of: 
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(i) numbering the plurality of input blocks from "O" to "n" with an impute block 
number; 

(ii) splitting each of the plurality of input blocks into an upper half and a lower half to 
produce plain text-derived input; 

5 (iii) combining said plain text-derived input with a plurality of round-dependent 

subkeys according to a form of multiplication to form a blended product; 

(iv) applying a plurality of s-boxed of the F function of a DES encryption algorithm 
to said blended product; and 

(v) applying the P permutation of the F function of a DES encryption algorithm to 
10 output of step (iv). 

(45) A method according to claim 40 further comprising the steps of: 

(c) decrypting said selectably known file key using said second symmetric cryptosystem and 
said selectably known masterkey; and 
15 (d) decrypting said file using said selectably known file key and said first symmetric 

cryptosystem. 

(46) A method according to claim 40, wherein said cryptographically strong hash function comprises 
a MAC (message authentication code). 

20 

(47) The method according to claim 40, wherein the persistent storage medium is operated by a 
computational device having a sleep mode, said computational device having a RAM (random access 
memory), such that all information on said RAM is encrypted and written to the persistent storage 
medium as a single unit. 

25 

(48) The method according to claim 40, wherein the persistent storage medium is operated by a 
computational device having a stand-by mode, said computational device having a RAM (random 
access memory), such that at least a portion of information on said RAM is encrypted. 

30 (49) A system for protecting confidentiality of information stored on a persistent storage medium, the 
system comprising: 

(a) an automatic file-by-file information protector operative to protect a plurality of files on 
an automatic file-by-file basis, the information protector including : 

(i) a symmetric encryptor using a symmetric cryptosystem to encrypt each of said 
35 plurality of files as an individual file, thereby to generate an encrypted individual file; 

and 
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(ii) a storage manager for the persistent storage medium operative to store the 
encrypted individual file on the persistent storage medium. 



(50) A DES encryption method comprising: 

5 (a) performing N DES rounds, including. 

for at least one l<=n<=N, performing an n'th DES round on a sub key and a plain text 
derived input to said n'th round wherein addition is substituted for exclusive-or in performing 
said n'th DES round, 

wherein a sub key is defined for each of said N rounds and wherein at least some of said N 
10 sub keys are dependent. 

(51) A method according to claim 50, wherein all of said N sub keys are derived from a standard key 
schedule. 



15 (52) A method according to claim 50 wherein said plain text derived input to said n'th round (n>l) 
comprises an output of a round previous to said n'th round. 

(53) A method according to claim 50 wherein said plain text derived input to said first round 
comprises at least a portion of said plain text. 

20 

(54) A method according to claim 50 wherein said step of performing N DES rounds comprises 
performing a bit-slice implementation of DES. 

(55) A method according to one of claims 9 or 50, wherein for at least one i<-n<-N, said step of 
25 combining a plurality of key-to-sub key operations thereby to obtain an (n+l)th sub key, is performed 

substantially before the (n+l)th round is performed. 

(56) A method according to claim 55, wherein for at least one l<-n<=N, said step of combining a 
plurality of key-to— sub key operations thereby to obtain an (n | l)th sub key is performed before the 

30 n'th round is performed. 

(57) A method according to claim 55, wherein for at least one i<=n<=N, said step of combining a 
plurality of key-to-sub key operations thereby to obtain an (n+l)th sub key is performed before the 
use of the n'th sub key. 

35 
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(58) A method according to claim 55, wherein for at least one l<=n<=N, said step of combining a 
plurality of key-to-sub key operations thereby to obtain an (n+l)th sub key is performed before 
completing the use of the n'th sub key. 

5 (59) A DES encryption method, the steps of the method being performed by a data processor, the 
steps of the method comprising: 

(a) performing N>16 DES rounds, including, for at least one 1< - n < - N, performing an n'th 
DES round a sub key and a plain text derived input to said n'th round wherein addition is 
substituted for exclusive-or in performing said n'th DES round. 

10 

(60) A DES encryption system comprising: 

(a) an addition-based DES encryptor operative to perform N DES founds including, for at 
least one 1< = n <=N, 

(b) a round-performer performing an n'th DES round on a sub key and 

15 (c) a plain-text-derived-input provider providing a plain text derived input to said n'th round 

wherein an adder operative to perform addition rather than exclusive-or is used to perform 
said n'th DES round, wherein a sub key is defined for each of said N rounds and wherein at 
least some of said N sub keys are dependent. 

20 (61) A DES encryption method, the steps being performed by a date processor having 32 bit registers, 
the steps of the method comprising: 

(a) performing N DES rounds, including, for at least one l<=n<=N, performing an n'th DES 
round on a sub key and a plain-text derived input to said n'th round to perform a bit-slice 
implentation of DES . 

25 

(62) A DES encryption method, the steps being performed by a data processor having registers of 
fewer than 64 bits, the steps of the method comprising: 

(a) performing N DES rounds, including, for at least one l<=n<=N, performing an n'th DES 
round on a sub key and a plain text derived input to said n'th round to perform bit-slice 
30 implementation of DES. 

(63) A DES encryption method, the steps being performed by a data processor, the steps of the 
method comprising: 

(a) computing a sub key for each of N DES rounds, at least some of said N sub keys being 
35 dependent, by combining a plurality of key to sub key operations into a single key to sub key 

operation on a DES key, thereby to provide a sub key; and 

(b) performing N DES rounds. 
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(64) A DES encryption method, the steps being performed by a data processor, the steps of 
the method comprising: 

(a) using first and second permutations and a mapping to perform each of N DES rounds, 
wherein the first permutation includes a left half of L* and a right half R* and wherein 
5 L* comprises a composition of an inverse P permutation and a left half, L, of an 

initial permutation, and wherein R*, comprises a composition of the inverse P 
permutation and a right half, R, of the initial permutation, wherein the second 
permutation includes a left half of L** and a right half R** and wherein L** 
comprises a composition of the P permutation and a left half of the final permutation, 
10 and R** comprises a composition of the P permutation and a right half of the final 

- permutation, and, wherein the mapping comprises a composition of the P 
permutation with an E expansion. 

(65) A DES encryption method, the steps being performed by a data processor, the steps of the 
15 method comprising: 

(a) performing N DES rounds, including, for at least one l<=n<=N, performing an n'th 
DES round on a sub key and a plain text derived input to said n'th round wherein 
addition is substituted for exclusive-or in performing said n'th DES round, wherein 
said step of performing N DES rounds comprises performing a bit-slice 
20 implementation of DES . 

(66) A DES encryption method, the steps being performed by a data processor, the steps of the 
method comprising: 

(a) performing N DES rounds, including, for at least one l<=n<=N, generating an n'th 
25 k-bit s-box input by performing an n'th DES round on a k-bit sub key and a k-bit plain 

text derived input to said n'th round wherein multiplication in which any carry beyond 
k bits is discarded, is substituted for exclusive-or in performing said n'th DES round. 

(67) A method according to claim 66, wherein all of said N sub keys are derived from a 
30 standard key schedule. 

(68) A method according to claim 66, wherein said plain-text derived input to said n'th round 
(n>l) comprises an output of a round previous to said n'th round. 

35 (69) A method according to claim 66, wherein said plain text derived input to said first round 
comprises at least a portion of said plain text. 

(70) A method according to claim 66, wherein N> 16. 
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(71) A DES encryption system comprising: 

(a) a DES encryptor operative to perform N>16 DES rounds, including, for at least one 
l<=n<=N, 

(b) a round-performer performing an n'th DES round on a sub key and 

5 (c) a plain text derived input provider operative to provide a plain text derived input to 

said n'th round wherein addition is substituted for exclusive -or in performing said n'th 
DES round. 

(72) A method according to claim 66 wherein said step of performing an n'th DES round 
10 _ comprises performing a bit-slice DES round. 

(73) A method according to claim 66, wherein a sub key is defined for each of said N rounds 
and wherein at least some of said N sub keys are dependent. 

15 (74) A DES encryption method, the steps being performed by a data processor, the steps of the 
method comprising: 

(a) performing N DES rounds, including, for at least one l<=n<=N, performing an n'th 
DES round on a sub key and a plain text derived input to said n'th round wherein 
addition is substituted for exclusive-or in performing said n'th DES round, wherein 
20 said step of performing N DES rounds comprises performing a bit-slice 

implementation of DES. 

(75) A WDES encryption method, the steps being performed by a data processor, the steps of 
the method comprising: 

25 (a) performing a plurality of rounds of WDES encryption each round using a round 

function F of at least one round, addition, with final carry neglected is substituted for 
exclusive or. 

(76) A DES encryption method comprising: performing N DES rounds, including for at least 
30 one l<=n<=N, generating an n'th k-bit s-box input by performing an n'th DES round on a 

k-bit sub key and a k-bit plain text derived input to said n'th round wherein multiplication, 
performed over a ring, is substituted for exclusive-or in performing said n'th DES round. 

(77) A method according to claim 76, wherein said multiplication over a ring comprises 
35 multiplication over a finite field. 

(78) A method according to claim 76, wherein said ring has a modulus and said modulus is a 
product of less than 5 primes. 
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(79) A method according to claim 77, wherein said ring has a modulus and said modulus is a 
product of less than 4 primes. 

(80) A method according to claim 77, wherein said ring has a modulus and said modulus is a 
5 product of 2 primes. 

(81) A method according to claim 77, wherein said ring has a modulus and said modulus is 
prime. 

10 (82) A method according to claim 77, wherein said ring has a modulus and said modulus 
comprises a product of a plurality of primes at least one of which slightly exceeds an 
exponent of 256. 

(83) A method according to claim 77, wherein said ring has a modulus and said modulus 
15 comprises a product of a plurality of primes at least one of which slightly exceeds an 

exponent of 65536 such as 65536 or 2 32 or 2 48 or 2 64 . 

(84) A method according to claim77, wherein said ring has a modulus and said modulus 
comprises a product of a plurality of primes at least one of which is slightly less than an 
exponent of 256. 

20 

(85) A method according to claim 77, wherein said ring has a modulus and said modulus 
comprises a product of a plurality of primes at least one of which slightly less than an 
exponent of 65536 such as 65536 or 2 32 or 2 48 or I 64 . 

25 (86) A method according to claim 77, wherein said step of performing an n'th DES round 
comprises performing a bit-slice DES round. 

(87) A DES encryption system comprising: 

(a) a DES encryptor for performing N>16 DES rounds, including, for at least one 
30 l<=n<=N, an addition-based DES engine operative to perform an n'th DES round on 

a sub key and a plain text derived input to said n'th round wherein addition rather than 
exclusive or is used to perform said n'th DES round. 



(88) A DES encryption system comprising: 
35 (a) a DES encryptor for performing N DES rounds, including, for at least one l<=n<=N, 

a DES engine operative to perform an n'th DES round on a sub key and a plain text 
derived input to said n'th round; and 
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(b) a computer having registers whose size is less than 64 bits, wherein said DES 
encryptor is configured to perform said N DES round including performing a bit-slice 
implementation of DES while running on said computer. 



5 (89) A DES encryption system comprising: 

(a) a sub key computation engine operative to compute a sub key for each of N DES 
rounds, at least some of said N sub keys being dependent, the sub key computation 
engine including a single key-to-sub key operation and performing said single key-to- 
sub key operation on a DES key, thereby to provide a sub key; and 
10 (b) a DES engine operative to perform N DES rounds using said N sub keys. 

(90) .A DES encryption system comprising: 

(a) a DES encryptor using first and second permutations and a mapping to perform each 
of N DES rounds, the DES encryptor comprising: 

(i) a first permutation provider providing the first permutation which includes a 
15 left half L* and a right half R* and wherein L* comprises a composition of an 

inverse P permutation and a left half L of an initial permutation, and wherein 
R* comprises a composition of an inverse P permutation and a right half R of 
an initial permutation, 

(ii) a second permutation provider providing the first permutation which includes 
20 a left half L** and a right half R** wherein L** comprises a composition of 

the P permutation and a left half L of a final permutation, and wherein R** 
comprises a composition of the P permutation and a right half R of a final 
permutation, and 

(iii) a mapping provider providing the mapping which comprises a composition of 
25 the P permutation and the E expansion. 

(91) A DES encryption system comprising: 

(a) a DES encryptor operative to perform N DES rounds, including an addition-based 
DES engine performing, for at least one l<n<N, an n'th DES round on a sub key and 
30 a plain text derived input to said n'th round wherein addition rather than exclusive or 

is used in performing said n'th DES round, wherein said N DES rounds are 
performed by performing a bit-slice implementation of DES. 



(92) A DES encryption system comprising: 
35 (a) a DES encryptor operative to perform N DES rounds, including an s-box input 

provider operative to provide for at least one l<=n<=N an n'th k-bit s-box input by 
performing an n'th DES round on an k-bit sub key and a k-bit plain text derived input 
. to said n'th round wherein multiplication with any carry beyond k bits is discarded, is 
used, rather than using exclusive or in performing said n'th DES round. 
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(93) A DES encryption system comprising: 

(a) a DES encryptor operative to perform N DES rounds, including an addition-based 
DES engine operative, for at least one l<=n<=N, to perform an n'th DES round on a 
5 sub key and a plain text-derived-input to said n'th round wherein addition rather than 

exclusive or is used in performing a bit-slice implementation of DES. 

(94) A WDES encryption system comprising: 

(a) a WDES encryptor operative to perform a plurality of rounds of WDES encryption, 
10 each round using a round function F, said WDES encryptor including an addition- 

based WDES engine operative for the round function F of at least one round to 
perform addition with final carry neglected rather than performing exclusive or. 

(95) A WDES encryption system comprising: 

15 (a) a WDES encryptor operative to perform a plurality of rounds of WDES encryption, 

each round using a round function F, said WDES encryptor including a common 
multiplication-based WDES engine operative for the round function F of at least one 
round to perform common multiplication with final carry neglected rather than 
performing exclusive-or. 

20 

(96) A DES encryption system comprising: 

(a) a DES encryptor operative to perform N DES rounds, the DES encryptor including, 
for at least one l<=n<=N, an s-box input provider operative to provide an n'th k-bit 
s-box input by performing an n'th DES round on a k-bit sub key and a k-bit plain text 
25 derived input to said n'th round wherein said n'th DES round includes performing 

multiplication over a ring rather than performing exclusive-or. 

(97) A method for performing a cryptographic primative employing a key schedule comprising 
the steps of: 

30 (a) feeding the full set of 64 key bits per block into a rearranged PC2 from DES. 

(98) A method according to claim 97, further comprising at least one of the following: 

(i) adding four to entries of PC2 with values above 28, prior to first usage in 
claim 97. 

3 5 (ii) performing key schedule rotation 64 bits at once rather than two groups of 32 

bits. 

(iii) causing sub key to depend on the serial number of the parallel execution. 

(iv) deriving sub key by finding multiplicative inverse over a field. 

(v) replacing zero sub key by a round dependent mask value. 
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(99) A machine for performing a cryptographic primative comprising: 

(a) a key-inserter which employs a form of multiplication for key insertion, whereby 
block length of the cryptographic primative is extended. 

5 

(100) A machine according to claim 99, wherein 

(b) a logic-gate implementation of a bit-slice representation of at least one component of 
said cryptographic primative. 

10 (101) A machine according to claim 100, wherein said component is a plurality of s-boxes. 

(102) A machine according to claim 99, wherein said cryptographic primative is 

(b) a WDES encryptor operative to perform a plurality of rounds of WDES encryption 
employing a plurality of WDES-round encryptors. 

15 (c) at least one WDES-round encryptor has a form of multiplication substituted for 

exclusive-or as key-inserter. 

(103) A machine according to claim 99 operative on plain-text derived input, further 
comprising: 

20 (b) a memory providing a series of numbers having no known concise description, and 

(c) a combiner combining said numbers on a bit-by-bit basis with limited carry into the 
stream of said plain-text derived input. 

(104) A machine according to claim 103, wherein said memory provides the s-boxes of DES as 
25 numbers. 

(105) A machine according to claim 103, wherein said memory provides digits selected from the 
group consisting of mathematical constants pi and e. 

30 (106) A machine according to claim 99, operative to extend the effect of the P permutation 
comprising: 

(b) a permuter whose local effect, within a group of 8 s-boxes, is identical to that of said 
P permutation, and 
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(c) said permuter whose global effect is to apply a reduced P permutation between a 
collection of s-boxes. 

(107) A machine according to claim 99 on a plurality of input blocks, wherein 
5 (b) a splitter operative to split each of the plurality of inputs blocks into an upper half and a 

lower half to produce plain text derived input. 

(c) a combiner combining said plaintext derived input with a plurality of round dependent 
subkeys according to a form of multiplication to form a blended product in at least one round: 

(d) a sbox engine applying a plurality of s-boxes of the F function of DES encryption 
10 algorithm to said blended product; and 

(e) a perimeter applying the P permutation of output of said engine. 

(108) A machine according to claim 107, wherein 

(c) said combiner combines said plaintext derived input with a plurality of round dependent 
subkeys by employing addition as the form of multiplication to form a blended product. 



15 



(109) A machine according to claim 99, wherein said form of multiplication 



in 



said key inserter comprises: 



20 



(a) a multiplier performing common multiplication of arguments to yield a product. 

(b) a designator, designating an upper and a lower half of said product. 

(c) a combiner, combining the upper half with the lower half employing exclusive-or to form 
a final product. 

(110) A machine according to claim 99, wherein said form of multiplication in said key inserter 

25 comprises. 

(a) a first multiplier, performing common multiplication of arguments to yield a first product. 

(b) a second multiplier, performing common multiplication of other arguments to yield a 
second product. 

(c) a first designator, designating an upper and lower half of said first product. 

30 (d) a second designator, designating an upper and lower half of said second product. 

(e) a first combiner, combining the upper half of the first product with the lower half of the 
second product using exclusive-or to form a first final product. 

(0 a second combiner, combining the upper half of the second product with the lower half of 
the first product using exclusive-or to form a second final product. 
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(111) A machine according to claim 99, wherein said form of multiplication- operative in the 
cryptographic primative with plaintext derived input further comprises: 

(i) a multiplier operative to multiply a plurality of bits from said plaintext derived input. 



5 (112) A machine according to claim 99, operative as a hash function. 

(a) said hash function providing ciphertext output. 

(b) a folder providing a folding operation on said output. 



(1 13) A machine according to claim 99, comprising: 

*0 (a) a permutation combiner providing a composition of a P permutation with a final 

permutation, and providing a composition of an inverse P permutation with an initial 
permutation. 

(1 14) A machine according to claim 99, comprising: 

15 ( a ) a mapping combiner providing a composition of a P permutation and an E expansion. 

(1 15) A machine according to claim 99, comprising: 

(a) a s-box combiner providing a composition of at least two of the following, e-expansion, s- 
boxes, and p permutation. 

20 

(1 16) A machine according to claim 99, said primitive further comprising: 

(b) a folding device operative to perform folding among a plurality of results of employed 
form of multiplication. 



(1 17) A machine according to claim 99, said primative further comprising: 

(b) a blending device operative to perform blending among a pair of results of employed form 
of multiplication. 



( 1 1 8) A cryptobox machine comprising: 
30 (a) a plain text provider providing a plain text. 

(b) a subkey provider providing a plurality of subkeys. 

(c) an inner cryptobox employing said plain text and said subkeys to generate new subkeys, 
and 

(d) a connector providing said new subkeys to another cryptobox to process more plain texts. 
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(1 19) A machine according to claim 1 18 further comprising: 

(e) said inner cryptobox also providing a ciphertext output, whereby encryption occurs a 
block at a time and information is transfered from encryption of one block to another via the 
new subkeys. 

5 

(120) A machine according to claim 1 18 further comprising: 

(e) a Feistel structure with a place for a round function box. 

(f) a round function box providing round-output of said new subkeys, 

whose input as plaintext is said plain text from said plain text provider, and whose input as 
10 key is said subkey from said subkey provider. 

( 1 2 1 ) A machine according to claim 1 20 further comprising: 

(g) a cryptobox key provider providing a cryptobox key. 

(h) a cryptobox machine operative to encrypt said round function box output employing a 
15 cryptobox key, yielding revised round function box output employing a cryptobox key, 

yielding revised round function box output used in said Feistel structure. 

(122) A machine according io claim 1 18 wherein said inner cryptobox comprises: 

(a) a subkey provider providing a plurality of subkeys. 

(b) a local cryptobox encrypting a master key according to encryption 
algorithm by using said subkey to produce a cipher text; 

(c) a dependency ensurer cryptobox which ensures dependence of every bit of said cipher 
text on each bit of said master key by employing a plurality of said local cryptoboxes in 
sequence using previous cipher text as plain text: 

(d) a new subkey extractor providing a single new subkey employing said local cryptobox to 
provide said new subkey and a new cipher text: 

(c) a masterkey mixer employing a series of local cryptoboxes, at least zero times in series 
using previous cipher text as plain text. 

30 (123) A machine according to claim 1 18 comprising: 

(a) employing said inner cryptobox a pluraltiy of times, using new subkeys of previous as 
subkey of next time, using cipher text of previous as plain text of next time, yielding new 
subkeys of final time as output. 



20 



25 
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(124) A method for automatically protecting confidentiality of information: stored on a persistent 
storage medium, the informatin being organized into a plurality of files, the steps of the method 
comprising: 

(a) protecting a plurality of files on an automatic file-by-file basis such that each of said 
plurality of files is automatically protected individually according to the steps of: 

(i) using a cryptosystem to encrypt said at least one file, thereby generating an 
encrypted file: and 

(ii) storing said encrypted file on the persistent storage medium. 

(125) The method according to claim 124. wherein the persistent storage medium is operated by a 
computation device having a sleep mode, said computational device having a RAM (random access 
memory), such that all information in said RAM is encrypted and written to the persistent storage 

medium as a unit. 



15 (126) The method according to claim 124. wherein the persistent storage medium is operated by 
computational device having a sleep mode, said computational device having a RAM (random 
memory), such that at least a portion of information in said RAM is encrypted. 



a 

access 



(127) The method according to claim 124. wherein a ramdisk is used to store key material. 

(128) A method according to claim 124, comprising the steps of: 

(129) A method according to claim 124, comprising the steps of: 

(b) performing a portion of said cryptosystem using a logic-gate implementation of a bit-slice 
representation of at least one component of said cryptosystem. 

(130) A method according to claim 124. said cryptosystem comprising the steps of: 

(a) providing plain text 

(b) providing a plurality of subkeys, 

(c) employing said plain text and said subkeys to generate new subkeys, and 

(d) providing said new subkeys to another cryptosystem to process more plain texts. 



SUBSTITUTE SHEET (RULE 26) 



BNSOOCIO: <WO. 



.990841 1A2_I_> 



WO 99/08411 



PCT/IL98/00369 



1/36 



Figure 1 



Number the 32-bit input blocks 0..n; 
split each block into upper and lower halves 

110 



Optionally, Xor plaintext derived input with round 

and input block number dependant mask. 120 
Optionally, derive mask from s-boxes. 



Employ a form of multiplication to combine plaintext derived 
input (output from step 1 10 or 120) with round dependent subkeys. 
Preferably and Optionally, employ common multiplication of the two arguments 
plus xor of the two arguments. 130 



Fold the result of two multiplications together. 
Preferably and Optionally, fold is xor upper half of one multiplication 

with the lower half of the other. 
Preferably, concatenate the results together to form a full-size number. 140 



Fold the result of the previous folding to 
effect folding of four distinct multiplications together. 
Preferably, fold by concatenation of the lower half of the first argument 
with the upper half of the second argument. 150 



Optionally, perform the E expansion mapping 

just immediately before the s-boxes 
or prior to the multiplication step. 160 



Apply s-boxes (bit-slicing logic gates opt.] 
Apply the P permutation. 170 
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Figure 2 



Key- inserter to employ 
a form of multiplication 
for key insertion 

210 





Optionally key-inserter employs 

form of multiplication 
comprises (a*b)+(a XOR b) 220 . 








Optionally, key inserter employs 
form of multiplication 
is modulo over a Fermat field 230 



Optionally, key inserter employs 
form of multiplication is common 
multiplication with upper and lower 



halves fo 



ded together 240 



Optionally, key inserter employs- 
form of multiplication 
is common multiplication with 
upper and lower halves folded into 
companion executions 250 



Optionally, key inserter employs form 
of multiplication which takes more than two 

arguments, for example, a, b, c 
comprising (a*b*c)+(a XOR b XOR c) 260 



Optionally, key inserter 
in machine which employs bit-slicing s-boxes 270 
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Figure 3 

Employ an operation on two inputs 
yielding a double-size result, 

folding half of result 
into a companion execution, 

310 



Optionally, employ an operation 
on plurality of n inputs 
yielding a n-size result, 
split into n equal pieces 
folding n-1 pieces of result 
into a companion execution, 

320 



Optionally, employ an operation 
for which each of the n pieces are labeled /=0..n-l 
ensure that when folding no two pieces 
with same label i are folded into a given 
execution even if the label i refers to 
pieces in distinct executions 
320. 



Optionally, employ an operation 
on two inputs yielding a double-size result 

in order to mix two distinct arguments. 
This may be applied a plurality of times. 340 
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m Figure 4 . 

Set encryption algorithm to use a set of subkeys 
which are known in advance. 
Optionally, derive the subkeys from DES s-boxes entries. 

4_m 





Encrypt the desired master key 
at least the number of rounds - 
to achieve dependence of every bit 
of the ciphertext on each bit of the masterkey. 

420 












Encrypt further an integral number of rounds, 
typically 1, 4, 8 or 16. 
Use output of s-boxes (step 170) as desired subkeys. 

430 










Repeat previous step 
until sufficient subkey material is 
pseudo-randomly generated for all the rounds. 
Typically 16 times. 

440 



Optionally, set the encryption keys to be 
the subkeys generated (in steps 430-440) 
and encrypt the ciphertext generated (by going to step 420). 



450 
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Figure 5 

A hasher using 
at least a 128-bit key 
and block size 510 



A hasher functional as a hash function wherein every bit of key and every bit of 
olaintext cause every single bit of the resultant ciphertext to become unpredictable 
F 520 



A hasher which implements large key size by 

circuits providing a large block size, creating 
a key scheduler able to perform key schedules in 
zero additional time, creating a long-range mixer 
able to thoroughly mix input over the entire block size. 

A rapid-key-schedule-designer deterministically 
converts any similar hasher into a key schedule. 53C 



Optional, optimal sorting network providing 
a large block size extendable to arbitrary sizes. 

540 
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Figure 6 



Encrypt employing a key schedule comprising 
feeding the full set of 64 key bits per block 
into a rearranged PC2 from DES. 

whereby the all of the key bits 
provided by the user are employed. 

610 










Optionally, use entries of PC2 with values 
above 28 have four added to them, 
whereby the key schedule 
will be balanced left and right halves. 

620 






Optionally, carry out key schedule 
rotation 64 bits at a time 
rather than in two groups of 32 each, 

630 








Optionally, modify subkey based on 
on the serial number of the parallel execution, 
whereby even if masterkey 
repeats exactly that subkeys will not. 

640 






Optionally, derive subkey by 
finding a multiplicative inverse over a field, 

650 










Optionally, replace zero subkey with 
a round dependent mask value. 660 
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Figure 7 

a form of multiplication 
features the steps of: 



(i) multiplying a plurality or bus 
from plaintext-derived input 
and a plurality of bits from plurality 
of round-dependent subkeys 
to form a common multiplication product; 

710 



(ii) performing an exclusive-or function 
on a plurality of bits from plaintext-derived input and a 
plurality of bits from plurality of round-dependent subkeys 
to form a balanced product, 720 



(iii) Preferably, performing an addition function 
on common multiplication product and balanced product 
to form a pseudo-random product, 

730 



(iv) folding upper half of first pseudo random 
product into lower half of second pseudo 
random product to form first result. 740 



(v) folding lower half of first pseudo random 
product into upper half of 
second pseudo random product 

to form second result. 750 



(vi) concatenating first result to second result 
to form a folded product. 760 



(vii) concatenating lower half of first folded product 
with upper half of second folded product 

to form a blended product. 770 
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Figure 8 

extended P Permutation machine 810 

1 

local permuter distributing 

bits from output of a given local scrambler 
^ approximately evenly to input of other local scramblers. 820 

Designator designating S-box output: 
Enumerator numbering S-box output bits from 0.. 3; 830 

, l - , 

Case 1 : Block size is one. 
Mapper mapping from 0..3 to 0..3 respectively. 840 



Case 2: Block size is two, swap one public and one private bit 
Mapper mapping from 0, 2 to 0, 2 of other block. 
Mapper mapping from 1,3 to 1,3 of current block. 850 



Case 3: Block size is three, export a public bit to each neighbor. 
Mapper mapping from 1,2 to 1, 2 of current block. 
Mapper mapping from 0 to 0 of next block 
Mapper mapping from 3 to 3 of previous block 

SfiCL 



Case 4: Block size is four, send one bit to each block 

Mapper mapping from 0 to 0 of current block 

Mapper mapping from 1 to 1 of next block 

Mapper mapping from 2 to 2 of next next block 

Mapper mapping from 3 to 3 of previous block 

870 
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Figure 9 



Given X,Y,A3,C,D 
Q10 



I 



Compute all 6 complements of each 
x, y, a, b, c, d 

920 




Compute 4 binary products (and) 
of X,Y with complements 

930 


1 1 ~ — 

Compute 8 ternary products (and) 
of X, Y, A with complements 

940 




1 1 

Compute 4 binary products (and) 
of C, D with complements. 950 




1 




Compute 8 temai y products (and) 
of B, C, D with complements 

960 



Compute 4 binary sums (or) 
of C, D with complements 

970 

' 1 

Compute 8 ternarys 
of B and (C or D) with complements 

Q7S 

1 

Compute 2 exclusive ors 
C xor D and c xor D 

2S£L 

I 



Compute 4 binarys 
of B and (C xor D) with complements 

985 




Compute 4 products of 
B with C with complements, then 

B with D with complements 
Therewith build table entries.990 
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Figure 10 



create a set of masks 
A10 



initialize the masks to zero 
A20 



let each mask be composed of nibbles from 
entries in the s-box table 
such each s-box table entry is used exactly once 
A30 



TABLE I 
Key Selection Permutation Table 



14 


17 


11 


24 


1 


5 


45 


56 


35 


41 


51 


59 


3 


28 


15 


6 


21 


10 


48 


53 


43 


60 


38 


57 


23 


19 


12 


4 


26 


8 


.34 


44 


55 


49 


37 


52 


. 16 


7 


27 


20 


13 


2 


50 


46 


54 


40 


33 


36 
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Figure 11 



Predetermined 
Initial subkeys 



Master 
Key 



Symmetric 
Cipher e.g. 
TMD 



Encrypted 
Master Key 



Master-key 
derived 
subkeys 



Predetermined 
Initial subkeys 



Maste 
Key 


IT 






Symme 
Cipher 
TMD 


itric 
e.g. - 






Encrypted 
Master Key 



Plaintext 




Symmetric 






TMD 





Chaining value 
as new subkeys 



Ciphertext 



Plaintext 



Symmetric 
Cipher e.g. 
TMD 



Ciphertext 



Chaining value 
as new subkeys 



Plaintext 



Symmetric 
Cipher e.g. 
TMD 



Chaining value 
as new subkeys 



Ciphertext 
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Figure 12 



Number the 32-bit input blocks 0..n; 
split each block into upper and lower halves 

CIO 



Use a form of multiplication to combine 
plaintext derived input (output from step CIO or C20) 
with round dependent subkeys. C30 



Fold the result of two multiplications together. 



C40 







Fold the result of the previous folding to 
effect folding of four distinct multiplications together. 

C50 












Apply E expansion mapping 

C60 





I 



Apply the s-boxes 
Apply the P permutation. C70 
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Figure 13 



Set encryption algorithm to use a set of subkeys 
which are known in advance. 
Optionally, derive the subkeys from constants available 
elsewhere in the implementation. DIP 



Encrypt desired master key at least number 
of rounds to achieve dependence of every 
bit of ciphertext on each bit of masterkey. 

D20 



Encrypt further an integral number of rounds, 
Use the intermediate values generated within a round 
to as building blocks to form desired subkeys. 

D30 



Repeat previous step 
until sufficient subkey material is 
pseudo-randomly generated for all the rounds. 
Method used for key generation may differ from 
that employing these generated subkeys. D4Q 



Optionally, set encryption keys to subkeys 

generated (steps D30-D40) 

and encrypt the ciphertext generated (by going to step D20). 
Optionally, use method to generate a masterkey 

from a shorter supplied key material. D50 
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Figure 14 



MultiDES 

INTERNAL ROUND 

(64 block size, 64 key size) 
-Input is 32 bit piece 




Expansion 



48 



Substit 
box 


ution 
es 


32 




P-Permutation 



32 



I Expansion, permutation and 

substitution boxes shown are 
typically those appearing in 
prior art DES 

Multiplication section blowup shown in Figure 16 
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Figure 15 



Feistel Structure 
TMD 

( 128 block 128 key) 
PLAINTEXT 




128 

CIPHERTEXT 



Initial round 



14 rounds 



Final round 



Legend for figures 14-16: 
(+) indicates exclusive-or 
( ) indicates a form of multiplication 
q with a "+" inside is standard addition 
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Figure 16 



MultiDES 

INTERNAL ROUND 

Multiplication Section detail 

(64 block size, 64 key size) 





To XOR of upper and 
lower halves 
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Figure 17 

Legend figures 17-19: 

( ) receives 32-bit inputs, yields 64-bit output 
(+) receives 32-bits inputs, yields 32-bit output 

TMD: INTERNAL ROUND 
Two MultiDES Rounds 

(128 block size, 128 key size) 
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Figure 18 

TMD: INNER ROUND FUNCTION 

Three rounds of MultiDES in tandem 

Input is 96 bil piece 




Expansion 



Expansion 



Substitution boxes 



Expansion 



Substitution boxes 



Substitution boxes 



Permutation Permutation Permutation 
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Figure 19 

TMD INNER ROUND FUNCTION 
Four rounds of MultiDES in tandem 

(256 block size, 256 key size) 

Input is 128 bit piece 




Expansion 



Expansion 



Substitution boxes 



Expansion 



Substitution boxes 



Permutation 



Expansion 



Substitution boxes 



Permutation 



Substitution boxes 



Permutation 



Permutation 
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Figure 20 



Detect intention to write to a cluster c 



10 



Trap information provided by a user which is intended to be written 
to cluster c (or to a portion of a file using a file handle) and use a 
symmetric cryptosystem to encrypt said information 



20 



Store said information as cluster c (or to a portion of a file 
using a file handle) on a notebook computer 



30 
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Figure 21 



j provide a pass phrase e.g. choose any combination of human 

| language-like words containing ideally 80 to 90 or more bits of entropy. 100 









provide k MAC key (typically k at most 128 bits) 110 






process the pass phrase using MD5-MAC and k with preferably modified 
final step 6 in which a full 128-bit quantity is obtained. ' 120 








Partition the 128-bit quantity into a pair of 64-bit quantities to 

— — ~ p» v ^uvn ivov \vyyv^±iiy jo or o^f cits) and a key 
generation key (typically 56 or 64 bits). 130 




, N ' 




generate a file key using figure 3 and the key generation key. 

140 
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Figure 22 



given a sector of a DOS directory and the ofiset 1< j < 17 of a 
particular file entry within it, generate a cryptographic key (typically 
DES) as follows: 2qq 






provide 8 bytes per directory entry starting at 16 Hex, 36 Hex, 56 Hex, 
etc. obtaining 16 64-bit intermediate keys (typically DES) numbered ' 
0<i<17. 2 , 0 








encrypt using an algorithm with 64-bit block size and 64-bit key size 
(typically DES) with intermediate key i as plaintext and intermediate 
key j as the key to obtain an intermediate value as ciphertext. 220 








encrypt using an algorithm with 64-bit block size and 64-bit kev size 
topically DES) with intermediate key i as plaintext and intermediate 
value from the previous encryption as the key to obtain a new 
intermediate value as ciphertext. 230 



i< 17 Y| 



240 



N 



encrypt using an algorithm with 64-bit block size and 64-bit kev size 

(typically DES) with the resulting intermediate value for i=l6 as 
platntext and key generation key from the MD5-MAC (typically as in 
figure 2) as the key to obtain a file kev as ciphertext. ' ' 260 
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Figure 23 



Generate a symmetic cipher key (typically using figure 3) 

300 



Encrypt a file or directory with a < 
typically in accordance with figur< 


lymmetic cipher (typically DES, 
tl) 310 






Encrypt the file key as plaintext using a key protection key (typically 
generated using figure 2) as key with a symmetric cipher to obtain a 
protected file key 320 






Store the protected file key in a conveniently locatable place on the 
disk (typically in the last bytes of the last cluster allocated to the 
file). ' 330 
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Figure 24 



Generate a symmetic cipher key (typically using figure 3) 

400 



V 

Encrypt a file or directory with a symmetic cipher and store the key 
(typically using figure 4) 410 







provide a key protection kev (typicallv generated using figure 2) 

420 






Retrieve the protected file key from a conveniently locatable place on 

the disk (typically in the last bytes of the last cluster allocated to 
the file). Typically the sector number of a given sector of the file is 
given from which is derived the last cluster of the file using the DOS 
File Allocation Table. 430 






Decrypt the protected file key as ciphertext using a key protection key 
(typically generated using figure 2) as key with a symmetric cipher to 
obtain a file key 440 







Decrypt the file using the file key as the key using conventional 
methods (or typically using figure 7) 45 I 
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Figure 25 





Provide a key (typically generated in figure 3). 

500 






Provide a sector number of the data to be encrypted. 






Derive using conventional means from the sector number information which 
is unique to the presently installed hard disk and current location such 
as hard drive number, cylinder number (0..1023), sector number (1..17), 
number of the read/write heads (0..1) to obtain a location serial number 
(typically 15 or more bits long). 520 






Partition a sector (typically 5 12 bytes) based on the symmetric cipher 
block size (typically 256 bytes) into plaintext blocks (typically 2 

blocks). Typically, use a fast parallel bit-wise vector implementation 
of DES with common multiplication with final carry discarded or 

multiplication over a ring substituted for xor when combining the sub 

key with the plaintext derived input. 530 










Using the location serial number as the initial vector, encrypt the 
sector with cipher-block-chaining using conventional methods. 

540 
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Figure 26 



Provide a key (typically generated in figure 3). 

600 



Provide a sector number of the data (typically within a file) to be 
encrypted. 610 



Derive using conventional means from the sector number information which 
is unique to the presently installed hard disk and current location such 
as hard drive number, cylinder number (0.. 1023), sector number (1 17), 
number of the read/write heads (0..1) to obtain a location serial number 

(typically 15 or more bits long). 620 



Partition a sector (typically 5 12 bytes) based on the symmetric cipher 

block size (typically 8 bytes) into plaintext blocks (typically 64 
blocks). ' .. 630 



Using the location serial number as the initial vector, encrypt the 
sector with cipher-block<;haining using conventional methods. 



640 
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Figure 27 



Generate a first permutation which includes a left half L* and a right 
half R* and wherein L* is generated by composition of an inverse P 
permutation and a left halt L, of an initial permutation, and wherein 
R* is generated by composition of the inverse P permutation and a right 
halt R, of the initial permutation. \qq 



i. 



Generate a second permutation which includes a left half L** and a right 

half R** and wherein L** is generated by o>rnposition of the P 
permutation and a left half, L, of a final permutation, and wherein R** 
is generated by composition of the P permutation and a right half, R, of 
the final permutation. 105 



4« . 

Generate a mapping by composition of the P permutation with an 
E -expansion 1 10 



Generate plain-text derived input by performing first permutation on 
plaintext 115 



Run 56 one-bit variables through a DES key schedule and record 16 48-bit 
subkeys in terms of the 56 variables, thereby generating a subkey table 



120 



n=l 



125 



Compute subkey for n'th round by plugging in 56-bit DES key as input to 
the (<(n - 1) modulo 16) +l] , th subkey in subkey table - 



130 



Use PC with 32-bit register to perform n'th DES round on n'th subkey and 
plain-text derived input but substitute addition for XOR. Use fig 4 
implementation of this step if steps 100-1 10 are performed 



135 



If n = integer multiple of 16, replace DES key 



140 



I 



n = n + I 



145 



n>48 ? 



Generate cipher text by performing second permutation on 64-bit round 
output of the last DES round 150 
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Figure 28 



Provide 48-bit subkey e.g. derive dependent 48-bit subkey from DES key 
using standard key schedule 200 



Expand right half of 64-bit plain text derived input from 32 bits to 48 

bits, using 64-bit round output from previous round as plain text 
derived input for rounds 1 < n < N and using plain text as plain text 
derived input for round n = 1 210 



Generate 48-bit sum of 48-bit subkey plus 48-bit expanded right half, 
ignoring final carry if any ~ 220 



Partition 48-bit sum into 8 6-bit sum portions 



230 



( V — — 

For each 6-bit sum portion, perform table look-up to obtain a 4-bit 
quantity 240 






Concatenate the 8 4 -bit results c 
quantity 


)f table look-up to obtain a 32-bit 

250 



Permute 32-bit quantity 



260 



Generate 64-bit round output as follows: 
left half of 64-bit quantity is right half of plain text derived 
input; and right half of 64-bit quantity is XOR of left half of plain text 
derived input and permuted 3 2 -bit quantity. 



270 
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Figure 29 



Provide 48-bit subkey and generate 48 subkey-derived integers, wherein 

i'th subkey derived integer (1<= i <= 48) is all l's if the i'th bit of 
subkey is 1 and all 0's if the i'th bit of the subkey is 0. 300 



* — 

Use expansion table to associate (with repetition) one of the 32 right 
half integers with each of 48 cell positions, thereby to define an i'th 
right half integer for each 1 <= i <= 48 320 



Sum i'th subkey derived integer with i'th right half integer for each 
1 <= i <= 48 ignoring final carry, to obtain a sequence of 48 sum 
values 330 



Partition sequence of 48 sum values into 8 subsequences including 6 sum 
values each 3 **^ 



For each subsequence of 6 sum values, perform a series of logic gate 
operations to obtain a subsequence of 4 s-box outputs, thereby obtaining 
a first sequence of 32 s-box outputs 350 



Based on DES p-permutation table, generate a one-to-one correspondence 
berween the serial numbers from 1 to 32 and between the 32 s-box outputs 

in the first sequence, thereby to define a permuted sequence of the 32 
s-box outputs 



Generate an output sequence of 64 integers as follows: 
first half of output sequence is integers 33-64 in sequence of 
64 plain text derived integers; and 
second half of output sequence is XOR of integers 1 - 32 in 
sequence of 64 plain text derived integers with permuted 
sequence of 32 s-box outputs 



370 
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Figure 30 



Provide 48-bit subkey e.g. derive dependent 48-bit subkey from DES key 
using standard key schedule 



Use mapping generated in step 1 10 to expand and permute right half of 

64-bit plain text derived input from 32 bits to 48 bits, using 64-bit 
round output from previous round as plain text derived input for rounds 
I < n < N and using plain text as plain text derived input for round n = 
j 410 



Generate 48-bit sum of 48-bit subkey plus 48-bit expanded right half, 
ignoring final carry if any 420 



Partition 48-bit sum into 8 6-bit sum portions 



430 



w 

For each 6-bit sum portion, perform table look-up to obtain a 4-bit 

440 

quantity 






Concatenate the 8 4-bit results of 
quantity 


table look-up to obtain a 32-bit 

450 



Generate 64-bit round output as follows: 
left half of 64-bit quandtv is right half of plain text derived input: and 
right half of 64-bit quantity is XOR of left half of plain text 
derived input and 32-bit quantity generated in step 450 



460 
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Figure 31 



Provide 48-bit subkey e.g. derive dependent 48-bit subkey from DES key 
using standard key schedule 500 



Ignoring final carry if any, generate 48-bit sura of 48-bit subkey plus 
48-bit expanded right half from previous round (in first round, use 
conventional expansion permutation to expand right half of 64-bit plain 



text) 



510 



Partition 48-bit sum into 8 6-bit sum portions and store each sum 
portion in an addressable memory unit e.g. store each sum portion in a 

byte and use 2 remaining bits in byte to hold to selected bits in the 
48-bit sum. 520 



For each such byte (or bit portion), perform table look-up to obtain a 
permuted expanded 32-bit quantity 530 



XOR the S quantities generated in previous step to yield a 32-bit XOR 

540 

output. 



Generate 64-bit round output as follows: 
left half of 64-bit round output is right half of plain text derived input; and 
right half of 64 -bit round output is XOR of the left half of plain 
text derived input and 32-bit XOR output. 



550 



Expand right half of 64-bit plain text derived input from 32 bits to 48 

bits, using 64-btt round output from previous round as plain text 
derived input for rounds 1 < n < N and using plain text as plain text 
derived input for round n = 1 . 560 
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Figure 32 



Generaie a first permutation which includes a left half L* and a right 
half R* and wherein L* is generated by composition of an inverse P 
permutation and a left half, L, of an initial permutation, and wherein 
R* is generated by composition of the inverse P permutation and a right 
half; R of the initial permutation. 1 100 



Generate a second permutation which includes a left half L** and a right 

half R** and wherein L** is generated by composition of the P 
permutation and a left half. L, of a final permutation, and wherein R** 
is generated by composition of the P permutation and a right half, R, of 

the final permutation. 1 105 



Generate a mapping by composition of the P permutation with an 
E-expansion I HO 



Generate plain-text derived input by performing first permutation on 
plain text. 1 * * 5 



Run 56 one-bit variables through a DES key schedule and record 16 48-bit 
subkeys in terms of the 56 variables, thereby generating a subkey table 



1120 



n=i 



T 



1125 



Compute subkey for n'th round by plugging in 56-bit DES key as input to 
the [((n - I) modulo 16) +l]'th subkey in subkey table 1 130 



Use PC with 32-bit register to perform n'th DES round on n'th subkey and 
piain-text derived input but substitute common multiplication with final 
cam* discarded or multiplication over ring in stead of XOR. Use fig 9 
implementation of this step if steps 1 100-1 110 are performed 

1135 



If n = integer multiple of 16, replace DES key 



1140 



n = n+l 1145 



n>48? 1150 



Gtrneraic cipher text by performing second permutaaoo on 64-bit round 



ouioui of die last DES round 



1155 
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Figure 33 



Provide 48-bit subkey e.g. derive dependent 48-bit subkey from DES key 
using standard key schedule 1200 



Expand right half of 64-bit plain text derived input from 32 bits to 48 

bits, using 64 -bit round output from previous round as plain text 
derived input for rounds i < n < N and using plain text as plain text 
derived input for round n - 1 1210 



Generate 48-bit product of 48-bit subkey times 48-bit expanded right 

half, using common multiplication with final carry discarded or 
multiplication over a ring 



Partition 48-bit product into 8 6-bit product portions 



1230 



For each 6-bit product portion, pei 
quantity 


form table look-up to obtain a 4-bit 

1240 







Concatenate the 8 4-bit results of table look-up to obtain a 32-bit 
quantity 



Permute 32-bit quantity 



1260 



Generate 64-bit round output as follows: 
left half of 64-bit quantity is right half of plain text derived 
input; and right half of 64-bit quantity is XOR of left half of plain test 
* derived input and permuted 32-bil quantity. 12 ' u 
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Figure 34 



Provide 48-bit subkey and generate 48 subkey-derived integers, wherein 

i'th subkey derived integer ( 1<= i <= 48) is all l's if the i'th bit of 
subkey is 1 and all O's if the i'th bit of the subkey is 0. 1300 



Use expansion table to associate (with repetition) one of the 32 right 
half integers with each of 48 cell positions, thereby to define an i'th 
right half integer for each 1 <= i <= 48 * 320 



Multiply i'th subkey derived integer by i'th right half integer for each 
i <= i <= 48 to obtain a sequence of 48 product values, using common 
multiplication with final carry discarded or multiplication over a ring 



Partition sequence of 48 product values into 8 subsequences i ncludi ^ 
product values each 



T 



For each subsequence of 6 sum values, perform a series of logic gate 
operations to obtain a subsequence of 4 s-box outputs, thereby obtaining 
a first sequence of 32 s-box outputs 



Based on DES p-permutation table, generate a one-tt«nc correspondence 
^n the senal numbers from 1 to 32 and between the 32.s-bQX outputs 
in the first sequence, thereby to define a permuted sequence of the 32 
s-box outputs 



Generate an output sequence of 64 integers as follows: 
first half of output sequence is integers 33-64 in sequence of 
64 plain text derived integers: and 
second half of output sequence is XOR of integers 1 - 32 ui 
sequence of 64 plain text derived integers with permuted 
sequence of 32 s-box outputs 



1370 
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Figure 35 



Provide 48-bit subkcy e.g. derive dependent 48-bit subkey from DES key 
using standard key schedule 



Use mapping generated in step 1 1 10 to expand and permute right naif of 

64-bit plain text derived input from 32 bits to 48 bits, using 64-bit 
round output from previous round as plain text derived input for rounds 
1 < n < N and using plain text as plain text derived input for round n = 

1410 



Generate 48-bit product of 48-bit subkey times 48-bit expanded right 

half, using common multiplicauon with final carry discarded or 
multiplication over a ring 1420 



Partition 48-bit product into 8 6-bit product portions 



1430 



For each 6-bit product portion, perform table look-up to obtain a 4-bit 



quantity 



1440 



Concatenate the 8 4-bit results of table look-up to obtain a 32-bit 



quantity 



1450 



Generate 64-bit round output as follows: 
left half of 64-bit quantity is right half of plain text derived input; 
right half of 64-bit quantity is XOR of left half of plain text 
derived input and 32-bit quantity generated in step 1450. 
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Figure 36 



Provide 48-bit subkey e.g. derive dependent 48-bit subkey from DES key 
using standard key schedule 1500 



T 



Generate 48-bit product of 48-bit subkey times 48-bit expanded right 
half from previous round (in first round, use conventional expansion 
permutation to expand right half of 64-bit plain text) 1510 



Partition 48-bit product into 8 6-bit product portions and store .each 
product portion in an addressable memory unit e.g. store each sum 
portion in a byte and use 2 remaining bits in byte to hold to selected 
bits in the 48-bit product. 1520 



For each such byte (or bit portion), perform table look-up to obtain a 
permuted expanded 32-bit quantity 1530 



XOR the 8 quantities generated in previous step to yield a 32-bit XOR 
output. 1540 



Generate 64-bit round output as follows: 
left half of 64-bit round output is right half of plain text derived input; and 
right half of 64-bit round output is XOR of the left half of plain 
text derived input and 32-bit XOR output. 



1550 



Expand right half of 64-bit plain text derived input from 32 bits to 48 

bits, using 64-bit round output from previous round as plain text 
derived input for rounds 1 < n < N and using plain text as plain text 
derived input for round n = 1. 1560 
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